CatDV Service Notice - RMI Session Hijacking Vulnerability

CatDV Server: Update Now: Mandatory Security Update 

Summary

SBS is notifying you of a vulnerability impacting the CatDV Server software. There is a known CVE (Common Vulnerabilities & Exposures) related to this issue, which has been publicly disclosed and assigned ID number CVE-2021-26705. Under certain active session conditions, this vulnerability may be able to be exploited to allow an attacker to gain administrative level access to the CatDV Server system and it is therefore mandatory that all CatDV Server users upgrade to the latest versions to avoid any unauthorized access.

CVE-2021-26705

Vulnerable Quantum Products

Affected software is the CatDV Server (Essential, Workgroup, Enterprise, Pegasus) up to version 9.2. CatDV Server 9.3.0, or for older system users, 8.0.8 is available to address this vulnerability.

Solution

There is a mandatory upgrade for all CatDV Server users, most critically for internet accessible systems.  The fix for this vulnerability has been made in CatDV Server version 9.3.0 and 8.0.8, and is available on the CatDV website to download - https://catdv.com/support/download/

There is a self-guided installation process included as part of the software, though if you do need assistance please contact support@squarebox.com stating upgrade assistance required for version 9.3.0, and the SBS technical support team will provide a guided upgrade.

Ensure that you back up the server before you begin your upgrade, and confirm the backup has been successful. 

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26705