Security Bulletins

StorNext UUI Graphite Port 7003 Security Update

A medium severity vulnerability has been identified with the Unified User Interface (UUI) shipped with StorNext versions 7.0 and 7.1.

Summary: Port 7003 is a development port used for testing statistics and graphing functionality.  Exposure is limited to reading Graphite statistical data with a default userid and password.  It does not allow access to any system configurations or user data and can be closed by customer support.

Read the full summary  

VS Management Application Log4J Security Update

Several critical and high severity vulnerabilities have been identified in version 1.2 of Log4J.

Summary: This security update addresses the following vulnerabilities by updating Log4J to version 2.18.0.

Read the full summary  

DXi Security Enhancement

Quantum has determined that a SQL injection attack may be possible prior to authentication.

Summary: Quantum recommends that you apply the appropriate code update linked below as soon as possible and adhere to best practices for data storage product security.

Read the full summary  

CatDV Apache Security

CatDV Using DMZ: Update Apache Now: Mandatory Security Update

Summary: Apache Software Foundation has released a new version of Apache HTTP Server to address a critical vulnerability. If you are using CatDV in a DMZ configuration, with Apache HTTP server acting as your reverse proxy, then you will need to ensure your Apache HTTP Server is updated to the latest version as soon as possible to protect your site from this exploit.

Read the full summary  

Apache Log4j Product Bulletin

Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation

Summary: Quantum is aware of the recent Common Vulnerabilities and Exposures (CVE) database entry regarding the open-source Apache Log4j utility and is actively monitoring the issue and evaluating its impact on Quantum products. Product-specific information is provided below. If you need additional details or help, please contact the Quantum Support Team for assistance.

Read the full summary  

CatDV Service Notice - RMI Session Hijacking Vulnerability

CATDV SERVER: UPDATE NOW: MANDATORY SECURITY UPDATE

Summary: SBS is notifying you of a vulnerability impacting the CatDV Server software. There is a known CVE (Common Vulnerabilities & Exposures) related to this issue, which has been publicly disclosed and assigned ID number CVE-2021-26705. Under certain active session conditions, this vulnerability may be able to be exploited to allow an attacker to gain administrative level access to the CatDV Server system and it is therefore mandatory that all CatDV Server users upgrade to the latest versions to avoid any unauthorized access.

Read the full summary  

Spectre and Meltdown Vulnerability

Quantum has been made aware of multiple microarchitectural (hardware) implementation issues affecting many modern microprocessors, requiring updates to operating system software in combination with a microcode update. There are 3 known CVEs related to this issue in combination with Intel, AMD, and ARM architectures. Affected operating systems include recent versions of Linux (Red Hat, CentOS, SUSE), Microsoft Windows and Apple macOS.

Read the full summary  

Apache Struts2 REST Plug-in Vulnerability

The recent data breach announced by Equifax has raised concerns across enterprises and institutions about security vulnerabilities within widely used open source software.

Read the full summary  

GHOST glibc Vulnerability

Quantum products that have been developed using the GNU C Library (glibc) may be affected by the GHOST glibc vulnerability identified as CVE-2015-0235. The GHOST vulnerability is a serious weakness in the Linux glibc library.

Read the full summary  

GNU Bash Vulnerability 'Shellshock'

Like many other companies, Quantum has been affected by the Shellshock bug, a serious vulnerability in GNU Bourne Again Shell (Bash), the common command-line shell utility, which may allow an attacker to remotely execute arbitrary code.

Read the full summary  

Multiple Petya Ransomware Infections

ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk associated with this malware.

Read the full summary  

OpenSSL Heartbleed Bug Vulnerability

Like many other companies, Quantum has been affected by the Heartbleed bug, a serious vulnerability in the popular OpenSSL cryptographic software library.

Read the full summary  

SambaCry Vulnerability

All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

Read the full summary  

WannaCry Ransomware

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability.

Read the full summary  

Samba Heimdal Kerberos Vulnerability

Samba Team has released security updates that address a vulnerability in all versions of Samba from 4.0.0 include an embedded Heimdal Kerberos.

Read the full summary