CVE-2009-3027

Name of the Vulnerable Software and Affected Versions: Symantec Backup Exec Continuous Protection Server (CPS) versions 11d through 12.5 Veritas NetBackup Operations Manager (NOM) versions 6.0 GA through 6.5.5 Veritas Backup Reporter (VBR) versions 6.0 GA through 6.6 Veritas Storage Foundation (SF) version 3.5 Veritas Storage Foundation for Windows High Availability (SFWHA) versions 4.3MP2 through 5.1AP1 Veritas Storage Foundation for High Availability (SFHA) version 3.5 Veritas Storage Foundation for Oracle (SFO) versions 4.1 through 5.0.1 Veritas Storage Foundation for DB2 versions 4.1 and 5.0 Veritas Storage Foundation for Sybase versions 4.1 and 5.0 Veritas Storage Foundation for Oracle Real Application Cluster (SFRAC) versions 3.5 through 5.0 Veritas Storage Foundation Manager (SFM) versions 1.0 through 2.0 Veritas Cluster Server (VCS) versions 3.5 through 5.0 Veritas Cluster Server One (VCSOne) versions 2.0 through 2.0.2 Veritas Application Director (VAD) version 1.1 Veritas Cluster Server Management Console (VCSMC) versions 5.1 through 5.5.1 Veritas Storage Foundation Cluster File System (SFCFS) versions 3.5 through 5.0 Veritas Storage Foundation Cluster File System for Oracle RAC (SFCFS RAC) version 5.0 Veritas Command Central Storage (CCS) versions 4.x through 5.1 Veritas Command Central Enterprise Reporter (CC-ER) versions 5.0 GA through 5.1 Veritas Command Central Storage Change Manager (CC-SCM) versions 5.0 and 5.1 Veritas MicroMeasure version 5.0

Description: The issue is related to improper validation of authentication requests, allowing remote attackers to trigger the unpacking of a WAR archive and execute arbitrary code in the contained files via crafted data to TCP port 14300.

Recommendations: For Symantec Backup Exec Continuous Protection Server (CPS) versions 11d through 12.5, update to a version that properly validates authentication requests. For Veritas NetBackup Operations Manager (NOM) versions 6.0 GA through 6.5.5, update to a version that properly validates authentication requests. For Veritas Backup Reporter (VBR) versions 6.0 GA through 6.6, update to a version that properly validates authentication requests. For Veritas Storage Foundation (SF) version 3.5, update to a version that properly validates authentication requests. For Veritas Storage Foundation for Windows High Availability (SFWHA) versions 4.3MP2 through 5.1AP1, update to a version that properly validates authentication requests. For Veritas Storage Foundation for High Availability (SFHA) version 3.5, update to a version that properly validates authentication requests. For Veritas Storage Foundation for Oracle (SFO) versions 4.1 through 5.0.1, update to a version that properly validates authentication requests. For Veritas Storage Foundation for DB2 versions 4.1 and 5.0, update to a version that properly validates authentication requests. For Veritas Storage Foundation for Sybase versions 4.1 and 5.0, update to a version that properly validates authentication requests. For Veritas Storage Foundation for Oracle Real Application Cluster (SFRAC) versions 3.5 through 5.0, update to a version that properly validates authentication requests. For Veritas Storage Foundation Manager (SFM) versions 1.0 through 2.0, update to a version that properly validates authentication requests. For Veritas Cluster Server (VCS) versions 3.5 through 5.0, update to a version that properly validates authentication requests. For Veritas Cluster Server One (VCSOne) versions 2.0 through 2.0.2, update to a version that properly validates authentication requests. For Veritas Application Director (VAD) version 1.1, update to a version that properly validates authentication requests. For Veritas Cluster Server Management Console (VCSMC) versions 5.1 through 5.5.1, update to a version that properly validates authentication requests. For Veritas Storage Foundation Cluster File System (SFCFS) versions 3.5 through 5.0, update to a version that properly validates authentication requests. For Veritas Storage Foundation Cluster File System for Oracle RAC (SFCFS RAC) version 5.0, update to a version that properly validates authentication requests. For Veritas Command Central Storage (CCS) versions 4.x through 5.1, update to a version that properly validates authentication requests. For Veritas Command Central Enterprise Reporter (CC-ER) versions 5.0 GA through 5.1, update to a version that properly validates authentication requests. For Veritas Command Central Storage Change Manager (CC-SCM) versions 5.0 and 5.1, update to a version that properly validates authentication requests. For Veritas MicroMeasure version 5.0, update to a version that properly validates authentication requests.