PT-2011-3825 · Iron Mountain · Iron Mountain Connected Backup

Published

2011-12-01

Updated

2017-08-29

CVE-2011-2397

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Iron Mountain Connected Backup version 8.4

Description The issue allows remote attackers to execute arbitrary code via a crafted request. This is achieved by triggering the use of a specific class to send request data to the System.getRunTime.exec method.

Recommendations For Iron Mountain Connected Backup version 8.4, consider disabling the LaunchCompoundFileAnalyzer class as a temporary workaround until a patch is available. Restrict access to the System.getRunTime.exec method to minimize the risk of exploitation.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2011-2397

ZDI-11-339

Affected Products

Iron Mountain Connected Backup

PT-2011-3825 · Iron Mountain · Iron Mountain Connected Backup

CVE-2011-2397

Weakness Enumeration

Related Identifiers

Affected Products

References · 5