PT-2015-6409 · Arcserve · Arcserve Udp

Rgod

Published

2015-05-26

Updated

2016-12-06

CVE-2015-4069

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Arcserve UDP versions prior to 5.0 Update 4

Description The issue allows remote attackers to obtain sensitive credentials via a crafted SOAP request to the getBackupPolicy or getBackupPolicies method. This is related to the EdgeServiceImpl web service in Arcserve UDP.

Recommendations For versions prior to 5.0 Update 4, update to version 5.0 Update 4 or later to resolve the issue. As a temporary workaround, consider restricting access to the EdgeServiceImpl web service until a patch is applied. Avoid using the getBackupPolicy and getBackupPolicies methods in the affected API endpoint until the issue is resolved.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2015-4069

ZDI-15-243

ZDI-15-244

Affected Products

Arcserve Udp

PT-2015-6409 · Arcserve · Arcserve Udp

CVE-2015-4069

Weakness Enumeration

Related Identifiers

Affected Products

References · 7