Two vulnerabilities have been identified in Server Backup Manager.
Severity
R1Soft rates these vulnerabilities as Critical.
Risk Assessment
An information exposure vulnerability was discovered in the Server Backup Manager. This could result in a SBM user session being cloned, allowing a malicious user access to SBM. R1Soft would like to thank rack911.com for bringing this issue to our attention and assisting in the development of a resolution.
The SSLv3 vulnerability, CVE 2014-3566, known as POODLE, affects Server Backup Manager 5.8.0 and earlier. This attack compromises encryption and could allow an attacker to obtain user credentials and session tokens.
Risk Mitigation
Immediately upgrade the Server Backup Manager to version 5.8.1.
Vulnerability
Affected versions include Server Backup Manager 5.8.0 and earlier.
Fix
Upgrade Note: Server Backup Advanced users A fix is not yet available for Server Backup Advanced Edition users. |
These issues are fixed in Server Backup 5.8.1, which you can download from the customer download portal. You must upgrade the Server Backup Manager. To address the POODLE vulnerability, SSLv3 connections were updated to use TLS. Please verify TLS compatibility with client libraries prior to upgrading.