Security Advisory SYM09-017 Storage Foundation and High Availability Solutions patches for UNIX and Linux

Article:TECH77411  |  Created: 2009-01-30  |  Updated: 2009-01-10  |  Article URL http://www.symantec.com/docs/TECH77411
Article Type
Technical Solution

Product(s)

Environment

Issue



Security Advisory SYM09-017 Storage Foundation and High Availability Solutions patches for UNIX and Linux

Solution



Overview
Symantec VRTSweb, a shared component shipped with many Symantec Veritas products, is susceptible to a remote code-execution vulnerability. This vulnerability is caused by the improper validation of incoming data over port 14300.

This alert is being issued in conjunction with a Security Advisory, whose details are given at the following location:  
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091209_00 


Vulnerability TypeAffected
Remote Access (Adjacent network)Yes
Local AccessNo
Authentication RequiredNo
Exploit publicly availableNo


Affected versions
The following versions of Storage Foundation and High Availability products on the UNIX and Linux platforms are affected.


PlatformSymantec Release VersionRemediation TypeLink
AIXSF 5.0, SF 5.0 MP1, SF 5.0 MP3Apply patchhttps://vos.symantec.com/patch/detail/2911
HP-UX4.1 HP-UX 11iv2, 4.1 PH-UX 11iv2MP1, 4.1 HP-UX 11iv2MP2Apply workaround
HP-UX5.0 HP-UX 11iv2 5.0, HP-UX 11iv2 MP1, 5.0 HP-UX 11iv2 MP2Apply patchhttps://vos.symantec.com/patch/detail/2976
HP-UX5.0 HP-UX 11iv3Apply patchPHCO_40519*
HP-UX5.0.1 HP-UX 11iv3Apply patchPHCO_40520*
Solaris SPARCSF 5.0, SF 5.0 MP1, SF 5.0 MP3Apply patchhttps://vos.symantec.com/patch/detail/2909
Solaris x86SF 5.0 MP3Apply patchhttps://vos.symantec.com/patch/detail/2910
LinuxSF 4.1, SF 4.1 MP1 - MP4Apply workaround
LinuxSF 5.0, SF 5.0 MP2, SF 5.0 MP3Apply patchhttps://vos.symantec.com/patch/detail/2943


* Download these patches from  
http://www.itrc.com

Resolution
Fixes are provided in the form of patches and mitigation for various combinations of Symantec releases and platforms, as listed above.  If you are unable to apply the fixes immediately, Symantec strongly recommends implementing the workaround described in the next section as an interim measure.


Mitigation/Workaround
Block all incoming requests on default port 14300 (or the port that has been configured), except the ones that come from localhost/127.0.0.1, to reduce the risk associated with this vulnerability until the recommended fix is applied.

or

Shut down VRTSweb, which will disable Web-UI functionality that depends on it.  To shut down VRTSweb, use the following command on UNIX/Linux:
#/opt/VRTSweb/bin/webgui stop

      
Installing the patch

This section describes the steps for installing the patch on the following platforms:

AIX
HP-UX
Linux
Solaris

AIX:

      To install the patch

         If the currently installed VRTSweb is below 5.0.1.0 level, you
         must upgrade VRTSweb to 5.0.1.0 level before installing this patch.

         AIX maintenance levels and APARs can be downloaded from the
         IBM Web site:

             
      http://techsupport.services.ibm.com

          Install the VRTSweb.rte.bff patch if VRTSweb is
         already installed at fileset level 5.0.1.0


To install the patch
    1.      Stop any Web applications and shutdown the Web server using the command:
      # /opt/VRTSweb/bin/webgui stop
    2.      Install the VRTSweb.rte.bff patch if VRTSweb is already installed at fileset level 5.0.1.0.
    3.      To apply the patch, enter the command:
      # cd <patch location>
      # installp -aXd VRTSweb.rte.bff VRTSweb
    4.      Restart the Web Server using the command:
      # /opt/VRTSweb/bin/webgui start


HP-UX

To install the patch
    1.      Stop any Web applications and shutdown the Web server using the command:
      # /opt/VRTSweb/bin/webgui stop
    2.      Install the patch using the command:
      For 5.0 HP-UX 11i v2
      # swinstall -x autoreboot=true -s <patch location> PVCO_03902
      For 5.0 HP-UX 11i v3
      # swinstall -x autoreboot=true -s <patch location> PHCO_40519
      For HP-UX 5.0.1 11i v3
      # swinstall -x autoreboot=true -s <patch location> PHCO_40520
    3.      Verify that the patch is correctly installed using the command:
      # swverify PVCO_03902
      or
      # swverify PHCO_40519
      or
      # swverify PHCO_40520
    4.      Restart the Web Server using the command:
      # /opt/VRTSweb/bin/webgui start
      The About tab on the webgui (https://hostname:8443) of VRTSweb should show the version string as 5.5.27.0, where hostname is the server on which the patch is installed.


Linux


To install the patch
    1.      Stop any Web applications and shutdown the Web server using the command:
      # /opt/VRTSweb/bin/webgui stop
    2.      Back up the file /opt/VRTSweb/catalina5/server/lib/vrtsserver.jar to another location.
    3.      Remove the file /opt/VRTSweb/catalina5/server/lib/vrtsserver.jar.
    4.      Download the security fix from the location given in the section Affected Versions.
    5.      Copy the new vrtsserver.jar file to the directory /opt/VRTSweb/catalina5/server/lib/.
    6.      Restart the Web server using the command:
      # /opt/VRTSweb/bin/webgui start

Solaris:

To install the patch
    1.      Stop any Web applications and shutdown the Web server using the command:
    # /opt/VRTSweb/bin/webgui stop
    2.      To install the patch, enter the command:
      # cd <patch location>
      For SPARC
      # patchadd 142627-01
      For x86
      # patchadd 142628-01
    3.      Restart the Web server using the command:
      # /opt/VRTSweb/bin/webgui start

Removing the patch
This section describes the steps for removing the patch.
AIX
    1.      Stop any Web applications and shutdown the Web server using the command:
      /opt/VRTSweb/bin/webgui stop
    2.      To remove the patch, enter the command:
      # installp -r VRTSweb.rte 5.0.1.1
    3.      Restart the Web server using the command:
      # /opt/VRTSweb/bin/webgui start
HP-UX
    1.            Stop any Web applications and shutdown the Web server using the command:
      /opt/VRTSweb/bin/webgui stop
    2.      To remove the patch, enter the command:
      For 5.0 HP-UX 11i v2
      # swremove -x autoreboot=true PVCO_03902
      For 5.0 HP-UX 11i v3
      # swremove -x autoreboot=true PHCO_40519
      For HP-UX 5.0.1 11i v3
      # swremove -x autoreboot=true PHCO_40520
    3.      Restart the Web server using the command:
      # /opt/VRTSweb/bin/webgui start
Linux
    1.      Stop any Web applications and shutdown the Web server using the command:
      # /opt/VRTSweb/bin/webgui stop
    2.      Remove the file /opt/VRTSweb/catalina5/server/lib/vrtsserver.jar.
    3.      Copy the old vrtsserver.jar file which was earlier saved to the directory /opt/VRTSweb/catalina5/server/lib/.
    4.      Restart the Web server using the command:
      # /opt/VRTSweb/bin/webgui start
Solaris
    1.      Stop any Web applications and shutdown the Web server using the command:
      # /opt/VRTSweb/bin/webgui stop
    2.      To remove the patch, enter the command:
      For SPARC
      # patchrm 142627-01
      For x86
      # patchrm 142628-01
    3.      Restart the Web server using the command:
      # /opt/VRTSweb/bin/webgui start



Best Practices
:
Symantec strongly recommends the following best practices:
1. Always perform a full backup prior to and after any changes to your environment.
2. Always make sure that your environment is running the latest version and patch level.
3. Perform periodic "test" restores.
4. Subscribe to technical articles.

How to Subscribe to Email Notification:

Article Subscription:
Subscribe to this TechNote for any updates that are made to this article, by clicking on the following link:   http://maillist.support.veritas.com/notification.asp?doc=337930 

Software Alerts:
If you have not received this from the Symantec Technical Support Email Notification Service, please click on the following link to subscribe to future Notifications: http://maillist.entsupport.symantec.com/subscribe.asp   






Legacy ID



337930


Article URL http://www.symantec.com/docs/TECH77411


Terms of use for this information are found in Legal Notices