JVNDB-2008-001312

Symantec Backup Exec for Windows Server ActiveX Control Multiple Vulnerabilities

The PVATLCalendar.PVCalendar.1 (pvcalendar.ocx) ActiveX control, a scheduler component of the Media Server in Symantec Backup Exec for Windows Server (BEWS), includes the insecure Save() method that mishandles strings assigned to certain properties listed below, which can be exploited to cause a denial of service (DoS) or overwrite arbitrary files.
_DOWText0, _DOWText1, _DOWText2, _DOWText3, _DOWText4
_DOWText5, _DOWText6, _MonthText0, _MonthText1, _MonthText2
_MonthText3, _MonthText4, _MonthText5, _MonthText6, _MonthText7
_MonthText8, _MonthText9, _MonthText10, _MonthText11

Symantec Corporation

• Symantec Backup Exec for Windows Servers 11d
• Symantec Backup Exec for Windows Servers 12.0

Hitachi, Ltd

• JP1/VERITAS Backup Exec 11d (windows)
• JP1/VERITAS NetBackup 6.5
• JP1/VERITAS NetBackup 6.0
• JP1/VERITAS NetBackup 5.1

A remote attacker could cause a denial of service (DoS) or overwrite arbitrary files.

Please refer to the 'Vendor Information' section for official countermeasure and take appropriate action.

Symantec Corporation

• Symantec Security Advisory : SYM08-007

Hitachi, Ltd

• Hitachi Software Vulnerability Information : HS08-007

1. Improper Input Validation(CWE-20) [NVD Evaluation]

1. CVE-2007-6017

1. National Vulnerability Database (NVD) : CVE-2007-6017
2. Secunia Advisory : SA27885
3. SecurityFocus : 28008
4. SecurityTracker : 1019525
5. FrSIRT Advisories : FrSIRT/ADV-2008-0718
6. JVN iPedia (Japanese) : JVNDB-2008-001312

• [2008/05/21]
    Web page published
  [2008/11/21]
    Affected Products : Added Hitachi, Ltd (HS08-007).