Security Bulletins
StorNext UUI Graphite Port 7003 Security Update
A medium severity vulnerability has been identified with the Unified User Interface (UUI) shipped with StorNext versions 7.0 and 7.1.
Summary: Port 7003 is a development port used for testing statistics and graphing functionality. Exposure is limited to reading Graphite statistical data with a default userid and password. It does not allow access to any system configurations or user data and can be closed by customer support.
VS Management Application Log4J Security Update
Several critical and high severity vulnerabilities have been identified in version 1.2 of Log4J.
Summary: This security update addresses the following vulnerabilities by updating Log4J to version 2.18.0.
DXi Security Enhancement
Quantum has determined that a SQL injection attack may be possible prior to authentication.
Summary: Quantum recommends that you apply the appropriate code update linked below as soon as possible and adhere to best practices for data storage product security.
CatDV Apache Security
CatDV Using DMZ: Update Apache Now: Mandatory Security Update
Summary: Apache Software Foundation has released a new version of Apache HTTP Server to address a critical vulnerability. If you are using CatDV in a DMZ configuration, with Apache HTTP server acting as your reverse proxy, then you will need to ensure your Apache HTTP Server is updated to the latest version as soon as possible to protect your site from this exploit.
Apache Log4j Product Bulletin
Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation
Summary: Quantum is aware of the recent Common Vulnerabilities and Exposures (CVE) database entry regarding the open-source Apache Log4j utility and is actively monitoring the issue and evaluating its impact on Quantum products. Product-specific information is provided below. If you need additional details or help, please contact the Quantum Support Team for assistance.
CatDV Service Notice - RMI Session Hijacking Vulnerability
CATDV SERVER: UPDATE NOW: MANDATORY SECURITY UPDATE
Summary: SBS is notifying you of a vulnerability impacting the CatDV Server software. There is a known CVE (Common Vulnerabilities & Exposures) related to this issue, which has been publicly disclosed and assigned ID number CVE-2021-26705. Under certain active session conditions, this vulnerability may be able to be exploited to allow an attacker to gain administrative level access to the CatDV Server system and it is therefore mandatory that all CatDV Server users upgrade to the latest versions to avoid any unauthorized access.
Spectre and Meltdown Vulnerability
Quantum has been made aware of multiple microarchitectural (hardware) implementation issues affecting many modern microprocessors, requiring updates to operating system software in combination with a microcode update. There are 3 known CVEs related to this issue in combination with Intel, AMD, and ARM architectures. Affected operating systems include recent versions of Linux (Red Hat, CentOS, SUSE), Microsoft Windows and Apple macOS.
Apache Struts2 REST Plug-in Vulnerability
The recent data breach announced by Equifax has raised concerns across enterprises and institutions about security vulnerabilities within widely used open source software.
GHOST glibc Vulnerability
Quantum products that have been developed using the GNU C Library (glibc) may be affected by the GHOST glibc vulnerability identified as CVE-2015-0235. The GHOST vulnerability is a serious weakness in the Linux glibc library.
GNU Bash Vulnerability 'Shellshock'
Like many other companies, Quantum has been affected by the Shellshock bug, a serious vulnerability in GNU Bourne Again Shell (Bash), the common command-line shell utility, which may allow an attacker to remotely execute arbitrary code.
Multiple Petya Ransomware Infections
ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk associated with this malware.
OpenSSL Heartbleed Bug Vulnerability
Like many other companies, Quantum has been affected by the Heartbleed bug, a serious vulnerability in the popular OpenSSL cryptographic software library.
SambaCry Vulnerability
All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
WannaCry Ransomware
Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability.
Samba Heimdal Kerberos Vulnerability
Samba Team has released security updates that address a vulnerability in all versions of Samba from 4.0.0 include an embedded Heimdal Kerberos.