CA20090429-01: Security Notice for CA ARCserve Backup Apache HTTP Server
Issued: April 29, 2009
CA's support is alerting customers to security risks with CA ARCserve Backup on Solaris, Tru64, HP-UX, and AIX. Multiple vulnerabilities exist in the Apache HTTP Server version as shipped with ARCserve Backup. CA has issued updates that contain version 2.0.63 of the Apache HTTP Server to address the vulnerabilities.
Refer to the References section for a list of resolved issues by CVE identifier.
CA ARCserve Backup r11.5 Solaris
CA ARCserve Backup r11.5 Tru64
CA ARCserve Backup r11.5 HP-UX
CA ARCserve Backup r11.5 AIX
CA ARCserve Backup r11.5 Windows
CA ARCserve Backup r11.5 Linux
How to determine if the installation is affected
- From the command line, run the following to print the version of the Apache HTTP Server included with ARCserve Backup:
Note: On HP-UX the shared library path needs to be modified prior to running the httpd command:
- If the displayed version is less than 2.0.63, then the installation may be vulnerable.
CA has issued the following patches to address the vulnerabilities.
CA ARCserve Backup r11.5 Solaris:
CA ARCserve Backup r11.5 Tru64:
CA ARCserve Backup r11.5 HP-UX:
CA ARCserve Backup r11.5 AIX:
As a workaround solution, disable the Apache HTTP Server with the "stopgui" command. To re-enable the server, run "startgui".
Stopping the Apache HTTP Server will prevent the ARCserve user from performing GUI operations. Most of the operations provided by the GUI can be accomplished via the command line.
Alternatively, restrict remote network access to reduce exposure.
Version 1.0: Initial Release
If additional information is required, please contact CA Support at https://support.ca.com.
If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team.