This article serves as a reference for Unitrends responses to Common Vulnerabilities and Exposures (CVE).
A security vulnerability CVE report has been issued. Is the Unitrends system vulnerable to it?
The CVE and NIST organizations publish security vulnerability reports as they are discovered, and the use cases where the vulnerability occurs is also described. The Unitrends engineering organization must evaluate each of these to determine if there is any vulnerability exposed for Unitrends appliance and determine corrective action, if any.
Security updates are included in normal monthly appliance updates.
No manual action is necessary to have the latest security packages other than updating to the current Unitrends appliance release.
Before contacting Unitrends Support regarding a possible CVE reported by a scanner, please do the following:
- Update your appliance to the latest Unitrends release. Note updating hot copy targets before backup appliances is required. An active support agreement is required to obtain the latest release from Unitrends.
- Wait at least 30 minutes post update then check in your UI to see if there is an alert indicating a reboot is required. Reboot only if an alert is noted.
- scan your system with the latest updates of your security vulnerability scanner. Compare the results of your scan with this article. Many CVEs reported against Unitrends systems are false positives or do not apply to our system (see the note about scanners below). Eliminate all that do not apply.
- Note any CVEs your tool reports the appliance triggered that are not resolved through this process. Provide the output of those specific CVEs to Unitrends support.
A note about vulnerability scanners
Unitrends appliances run on Centos, which follows its upstream source, Redhat. Redhat addresses many security issues through 'backports'; the term backporting describes when Redhat takes a fix for a security flaw out of the most recent version of an upstream software package and applies that fix to an older version of the package distributed by Red Hat.
More information can be found here: https://access.redhat.com/solutions/57665
If your Vulnerability scanner does not account for these backports, you will have many false positives in your scans.
Redhat's vulnerability response database can be found here: https://access.redhat.com/security/security-updates/#/cve
Some scanning engines may report additional CVEs the Unitrends appliance is not vulnerable to due to the nature of upstream vs backfilled patches by RedHat/CentOS. Checking the following KB for examples of false positives:
Security: Common false positive scan results
Some security software often uses the upstream project package version number to determine a package’s vulnerabilities, but this does not take into account patches backported by Red Hat to CentOS, which only increments the patch level after the dash.
Unitrends CentOS as the Linux OS distribution. Red Hat will continue to provide long-term support for packages contained in the distribution as defined in the lifecycle. Unitrends will continue to supply regular security updates, which will include updated packages from Red Hat as they become available throughout the lifecycle of the distribution.
A variant of this is that some security software references upstream project package versions, saying that an older released version will no longer be supported by the project. This should be considered a false positive. This statement means that the upstream project will stop automatically backporting new fixes into that version for Linux distributions. The Linux distributions (including Red Hat) do their own security updates and fixes for package versions that have been distributed. The Red Hat policy on support is described in the links below.
Red Hat support lifecycle https://access.redhat.com/support/policy/updates/errata
RH Backporting Policy https://access.redhat.com/security/updates/backporting
Security Audit Tool OVAL Compatibility https://access.redhat.com/articles/221883/
Unitrends provides long-term support for all software delivered on our systems for customers covered under an active Unitrends support agreement. When Unitrends determines that functional or security issues require an update, Unitrends will supply an updated software package. This includes providing updated CentOS packages, updated Unitrends software packages, or other custom software packages used by Unitrends.