• This topic has 2 replies, 2 voices, and was last updated March 12, 2021 by Nina D.

CVE-2021-3156 Vulnerability on VRAs

  • There was a recently published vulnerability in sudo with information listed in CVE-2021-3156, information here:

    CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)

    The remediation suggested by Qualys has been to upgrade sudo on the machine to 1.9.5p2.

    What version of sudo is the VRA Linux deployment using?  If it’s different depending on the Zerto version, is there a list available?  We have a client requesting information and resolution to this, is upgrading it something we have permissions to do or would it require assistance from a Zerto engineer?

    Thank you,

    Hello Nina,

     

    The VRAs are Debian 9, stripped VMs, this means a lot of the normal functionalities will not be present. Sudo is not installed on the VRAs. You can run “apt list –installed” on the vra, that will display all packages installed and sudo is not one of them.

     

    You can run these checks by logging onto the VRA as detailed in the following KB:

     

    How to Connect to a VRA via SSH

     

    Hope this is helpful, thank you.

    Joe

    Thank you Joseph for the fast response!

The forum ‘Support Q & A’ is closed to new topics and replies.