| Title | Veritas Resiliency Platform における脆弱性 |
|---|---|
| Summary | Veritas Resiliency Platform には、不特定の脆弱性が存在します。 |
| Possible impacts | 情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。 |
| Solution | ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date | Dec. 23, 2020, midnight |
| Registration Date | Sept. 10, 2021, 6:07 p.m. |
| Last Update | Sept. 10, 2021, 6:07 p.m. |
| CVSS3.0 : 重要 | |
| Score | 8.8 |
|---|---|
| Vector | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| CVSS2.0 : 危険 | |
| Score | 7.2 |
|---|---|
| Vector | AV:L/AC:L/Au:N/C:C/I:C/A:C |
| ベリタス |
| Resiliency Platform 3.4 |
| Resiliency Platform 3.5 |
| No | Changed Details | Date of change |
|---|---|---|
| 1 | [2021年09月10日] 掲載 |
Sept. 10, 2021, 6:07 p.m. |
| Summary | An issue was discovered in Veritas Resiliency Platform 3.4 and 3.5. It leverages OpenSSL on Windows systems when using the Managed Host addon. On start-up, it loads the OpenSSL library. This library may attempt to load the openssl.cnf configuration file, which does not exist. By default, on Windows systems, users can create directories under C:\. A low privileged user can create a C:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. |
|---|---|
| Publication Date | Jan. 6, 2021, 10:15 a.m. |
| Registration Date | Jan. 26, 2021, 11:58 a.m. |
| Last Update | Nov. 21, 2024, 2:28 p.m. |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:veritas:resiliency_platform:3.5:*:*:*:*:*:*:* | |||||
| cpe:2.3:a:veritas:resiliency_platform:3.4:*:*:*:*:*:*:* | |||||