CVE ID
CVE-2012-4929
DESCRIPTION
Unitrends has reviewed the penetration test results that were forwarded to our attention on May 29, 2014. We have correlated the results with Common Vulnerabilities and Exposures item CVE-2012-4929.
Unitrends Recovery-Series appliances are not impacted by this CVE.
Details:
- NIST rates this as Severity LOW.
- Vulnerability requires network access to the appliance and an HTTPS/SPDY connection to capture data
- Backup data is not exposed. Transferring backup data does not use HTTPS.
- The HTTPS web login credentials are not exposed because SSL compression is not used (not SPDY).
- Support tunnel connections use SSH rather than HTTPS/SPDY, so that is not exposed.
- Replication does do SSL+compression, but spoofing it would require root access to the system.
RESOLUTION
Fixed in:
- CentOS5 openssl-0.9.8e-26.el5_9.1 or later
- CentOS6 openssl-1.0.0-27.el6_4.2 or later