製品・ソフトウェアに関する情報

JVN脆弱性詳細

CA ARCserve Backup の RPC インターフェイスにおけるディレクトリトラバーサルの脆弱性

Title	CA ARCserve Backup の RPC インターフェイスにおけるディレクトリトラバーサルの脆弱性
Summary	CA ARCserve Backup の RPC インターフェイス (asdbapi.dll) には、ディレクトリトラバーサルの脆弱性が存在します。
Possible impacts	第三者により、opnum 0x10A における RPC 呼び出し内の .. (dot dot) を介して、任意のコマンドを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 9, 2008, midnight
Registration Date	Dec. 24, 2010, 11:47 a.m.
Last Update	Dec. 24, 2010, 11:47 a.m.

Affected System

CA Technologies

CA ARCserve Backup r11.1 Windows

CA ARCserve Backup r11.5 Windows

CA ARCserve Backup r12.0 Windows

CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2

CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2

CA Business Protection Suite r2

CA Server Protection Suite r2

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2008-4397	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4397
National Vulnerability Database (NVD)
2	CVE-2008-4397	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4397

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html
2	CWE-22	https://jvndb.jvn.jp/ja/cwe/CWE-22.html

ベンダー情報

No	Name	URL
CA SUPPORT ONLINE
1	188143	https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143

その他

No	Name	URL
ISS X-Force Database
1	45774	http://xforce.iss.net/xforce/xfdb/45774
Secunia Advisory
2	SA32220	http://secunia.com/advisories/32220
SecurityFocus
3	31684	http://www.securityfocus.com/bid/31684
SecurityTracker
4	1021032	http://www.securitytracker.com/id?1021032
VUPEN Security
5	VUPEN/ADV-2008-2777	http://www.vupen.com/english/advisories/2008/2777

Change Log

No	Changed Details	Date of change
0	[2010年12月24日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2008-4397

Summary	Directory traversal vulnerability in the RPC interface (asdbapi.dll) in CA ARCserve Backup (formerly BrightStor ARCserve Backup) r11.1 through r12.0 allows remote attackers to execute arbitrary commands via a .. (dot dot) in an RPC call with opnum 0x10A.
Summary	Vulnerabilidad de salto de directorio en la interfaz RPC (asdbapi.dll) en CA ARCserve Backup (antes BrightStor ARCserve Backup) vr11.1 hasta vr12.0 permite a atacantes remotos ejecutar comandos de su elección a través de .. (punto punto) en una llamada RPC con un opnum 0x10A.
Publication Date	Oct. 15, 2008, 6:10 a.m.
Registration Date	Jan. 29, 2021, 1:43 p.m.
Last Update	April 23, 2026, 9:35 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:broadcom:arcserve_backup:r12.0:::::::*
cpe:2.3:a:broadcom:business_protection_suite:r2:::::::*
cpe:2.3:a:broadcom:server_protection_suite:r2:::::::*
cpe:2.3:a:ca:arcserve_backup:r11.1:::::::*
cpe:2.3:a:ca:arcserve_backup:r11.5:::::::*
cpe:2.3:a:ca:business_protection_suite:r2::microsoft_small_business_server_premium:::::
cpe:2.3:a:ca:business_protection_suite:r2::microsoft_small_business_server_standard:::::

Related information, measures and tools

No	URL	refsource
1	http://secunia.com/advisories/32220	cve@mitre.org
2	http://securityreason.com/securityalert/4412	cve@mitre.org
3	http://www.securityfocus.com/archive/1/497218	cve@mitre.org
4	http://www.securityfocus.com/archive/1/497281/100/0/threaded	cve@mitre.org
5	http://www.securityfocus.com/bid/31684	cve@mitre.org
6	http://www.securitytracker.com/id?1021032	cve@mitre.org
7	http://www.vupen.com/english/advisories/2008/2777	cve@mitre.org
8	https://exchange.xforce.ibmcloud.com/vulnerabilities/45774	cve@mitre.org
9	https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143	cve@mitre.org
10	http://secunia.com/advisories/32220	af854a3a-2127-422b-91ae-364da2661108
11	http://securityreason.com/securityalert/4412	af854a3a-2127-422b-91ae-364da2661108
12	http://www.securityfocus.com/archive/1/497218	af854a3a-2127-422b-91ae-364da2661108
13	http://www.securityfocus.com/archive/1/497281/100/0/threaded	af854a3a-2127-422b-91ae-364da2661108
14	http://www.securityfocus.com/bid/31684	af854a3a-2127-422b-91ae-364da2661108
15	http://www.securitytracker.com/id?1021032	af854a3a-2127-422b-91ae-364da2661108
16	http://www.vupen.com/english/advisories/2008/2777	af854a3a-2127-422b-91ae-364da2661108
17	https://exchange.xforce.ibmcloud.com/vulnerabilities/45774	af854a3a-2127-422b-91ae-364da2661108
18	https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143	af854a3a-2127-422b-91ae-364da2661108

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html
2	CWE-22	パス・トラバーサル	https://cwe.mitre.org/data/definitions/22.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:broadcom:arcserve_backup:r12.0:::::::*
cpe:2.3:a:broadcom:business_protection_suite:r2:::::::*
cpe:2.3:a:broadcom:server_protection_suite:r2:::::::*
cpe:2.3:a:ca:arcserve_backup:r11.1:::::::*
cpe:2.3:a:ca:arcserve_backup:r11.5:::::::*
cpe:2.3:a:ca:business_protection_suite:r2::microsoft_small_business_server_premium:::::
cpe:2.3:a:ca:business_protection_suite:r2::microsoft_small_business_server_standard:::::