Enterprise Vault and Telerik vulnerability report regarding RadAsyncUpload function

book

Article ID: 100048654

calendar_today

Updated On:

Description

Error Message

The vulnerability report states the following -

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

Cause

Related to the RadAsyncUpload function.

Resolution

None of the following products use any version of the RadAsyncUpload function in its codebase and therefore are not affected by this vulnerability:

Enterprise Vault Compliance Accelerator / Veritas Advanced Supervision
Enterprise Vault Discovery Accelerator
Enterprise Vault for Lotus Domino
Enterprise Vault for File System Archiving
Enterprise Vault for Microsoft Exchange
Enterprise Vault for Microsoft SharePoint
Enterprise Vault for SMTP

Issue/Introduction

Is Enterprise Vault (EV) affected by Telerik vulnerability in RadAsyncUpload function?

Additional Information

JIRA: CFT-3008

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"