CA20090429-01: Security Notice for CA ARCserve Backup Apache HTTP Server - CA Technologies
{{search ? 'Close':'Search'}}

CA20090429-01: Security Notice for CA ARCserve Backup Apache HTTP Server

Issued: April 29, 2009

CA's support is alerting customers to security risks with CA ARCserve Backup on Solaris, Tru64, HP-UX, and AIX. Multiple vulnerabilities exist in the Apache HTTP Server version as shipped with ARCserve Backup. CA has issued updates that contain version 2.0.63 of the Apache HTTP Server to address the vulnerabilities.

Refer to the References section for a list of resolved issues by CVE identifier.

Risk Rating

Medium

Platforms

Solaris
Tru64
HP-UX
AIX

Affected Products

CA ARCserve Backup r11.5 Solaris
CA ARCserve Backup r11.5 Tru64
CA ARCserve Backup r11.5 HP-UX
CA ARCserve Backup r11.5 AIX

Non-Affected Products

CA ARCserve Backup r11.5 Windows
CA ARCserve Backup r11.5 Linux

How to determine if the installation is affected

  1. From the command line, run the following to print the version of the Apache HTTP Server included with ARCserve Backup:

    $BAB_HOME/httpd/httpd -v

    Note: On HP-UX the shared library path needs to be modified prior to running the httpd command:

    SHLIB_PATH=$SHLIB_PATH:$BAB_HOME/httpd/lib
    export SHLIB_PATH

  2. If the displayed version is less than 2.0.63, then the installation may be vulnerable.

Solution

CA has issued the following patches to address the vulnerabilities.

CA ARCserve Backup r11.5 Solaris:
RO06786

CA ARCserve Backup r11.5 Tru64:
RO06788

CA ARCserve Backup r11.5 HP-UX:
RO06789

CA ARCserve Backup r11.5 AIX:
RO06791

Workaround

As a workaround solution, disable the Apache HTTP Server with the "stopgui" command. To re-enable the server, run "startgui".

Stopping the Apache HTTP Server will prevent the ARCserve user from performing GUI operations. Most of the operations provided by the GUI can be accomplished via the command line.

Alternatively, restrict remote network access to reduce exposure.

References

CVE-2004-0747
CVE-2003-0132

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Support at https://support.ca.com.

If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team.

Chat with CA

Just give us some brief information and we'll connect you to the right CA Expert.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    How Did We Do?
    Let us know how we did so that we can maintain a quality experience.

    Take Our Survey >

    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing