CVE-2009-3027

Name: CVE-2009-3027
Creator: NVD / NIST
Published: 2009-12-11T16:30:00.203+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 10.61%

Last modified Jun 16, 2026

CVE-2009-3027 is a vulnerability of currently unknown severity. VRTSweb.exe in VRTSweb in Symantec Backup Exec Continuous Protection Server (CPS) 11d, 12.0, and 12.5; Veritas NetBackup Operations Manager (NOM) 6.0 GA through 6.5.5; Veritas Backup Reporter (VBR) 6.0 GA through 6.6; Veritas Storage Foundation (SF) 3.5; Veritas Storage Foundation for Windows High Availability (SFWHA) 4.3MP2, 5.0, 5.0RP1a, 5.0RP2, 5.1, and 5.1AP1; Veritas Storage Foundation for High Availability (SFHA) 3.5; Veritas Storage Foundation for Oracle (SFO) 4.1, 5.0, and 5.0.1; Veritas Storage Foundation for DB2 4.1 and 5.0; Veritas Storage Foundation for Sybase 4.1 and 5.0; Veritas Storage Foundation for Oracle Real Application Cluster (SFRAC) 3.5, 4.0, 4.1, and 5.0; Veritas Storage Foundation Manager (SFM) 1.0, 1.0 MP1, 1.1, 1.1.1Ux, 1.1.1Win, and 2.0; Veritas Cluster Server (VCS) 3.5, 4.0, 4.1, and 5.0; Veritas Cluster Server One (VCSOne) 2.0, 2.0.1, and 2.0.2; Veritas Application Director (VAD) 1.1 and 1.1 Platform Expansion; Veritas Cluster Server Management Console (VCSMC) 5.1, 5.5, and 5.5.1; Veritas Storage Foundation Cluster File System (SFCFS) 3.5, 4.0, 4.1, and 5.0; Veritas Storage Foundation Cluster File System for Oracle RAC (SFCFS RAC) 5.0; Veritas Command Central Storage (CCS) 4.x, 5.0, and 5.1; Veritas Command Central Enterprise Reporter (CC-ER) 5.0 GA, 5.0 MP1, 5.0 MP1RP1, and 5.1; Veritas Command Central Storage Change Manager (CC-SCM) 5.0 and 5.1; and Veritas MicroMeasure 5.0 does not properly validate authentication requests, which allows remote attackers to trigger the unpacking of a WAR archive, and execute arbitrary code in the contained files, via crafted data to TCP port 14300.. EPSS estimates a 10.61% chance of exploitation in the next 30 days.

Description

VRTSweb.exe in VRTSweb in Symantec Backup Exec Continuous Protection Server (CPS) 11d, 12.0, and 12.5; Veritas NetBackup Operations Manager (NOM) 6.0 GA through 6.5.5; Veritas Backup Reporter (VBR) 6.0 GA through 6.6; Veritas Storage Foundation (SF) 3.5; Veritas Storage Foundation for Windows High Availability (SFWHA) 4.3MP2, 5.0, 5.0RP1a, 5.0RP2, 5.1, and 5.1AP1; Veritas Storage Foundation for High Availability (SFHA) 3.5; Veritas Storage Foundation for Oracle (SFO) 4.1, 5.0, and 5.0.1; Veritas Storage Foundation for DB2 4.1 and 5.0; Veritas Storage Foundation for Sybase 4.1 and 5.0; Veritas Storage Foundation for Oracle Real Application Cluster (SFRAC) 3.5, 4.0, 4.1, and 5.0; Veritas Storage Foundation Manager (SFM) 1.0, 1.0 MP1, 1.1, 1.1.1Ux, 1.1.1Win, and 2.0; Veritas Cluster Server (VCS) 3.5, 4.0, 4.1, and 5.0; Veritas Cluster Server One (VCSOne) 2.0, 2.0.1, and 2.0.2; Veritas Application Director (VAD) 1.1 and 1.1 Platform Expansion; Veritas Cluster Server Management Console (VCSMC) 5.1, 5.5, and 5.5.1; Veritas Storage Foundation Cluster File System (SFCFS) 3.5, 4.0, 4.1, and 5.0; Veritas Storage Foundation Cluster File System for Oracle RAC (SFCFS RAC) 5.0; Veritas Command Central Storage (CCS) 4.x, 5.0, and 5.1; Veritas Command Central Enterprise Reporter (CC-ER) 5.0 GA, 5.0 MP1, 5.0 MP1RP1, and 5.1; Veritas Command Central Storage Change Manager (CC-SCM) 5.0 and 5.1; and Veritas MicroMeasure 5.0 does not properly validate authentication requests, which allows remote attackers to trigger the unpacking of a WAR archive, and execute arbitrary code in the contained files, via crafted data to TCP port 14300.

Metrics

EPSS Probability

10.61%

95.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-287

Affected Software

Vendor	Product	Versions
Symantec	Backup Exec Continuous Protection Server	11d
Symantec	Backup Exec Continuous Protection Server	12.0
Symantec	Backup Exec Continuous Protection Server	12.5
Symantec	Veritas Application Director	1.1
Symantec	Veritas Backup Exec	11d
Symantec	Veritas Backup Exec	12.0
Symantec	Veritas Backup Exec	12.5
Symantec	Veritas Cluster Server	3.5
Symantec	Veritas Cluster Server	4.0
Symantec	Veritas Cluster Server	4.1
Symantec	Veritas Cluster Server	5.0
Symantec	Veritas Cluster Server Management Console	5.1
Symantec	Veritas Cluster Server Management Console	5.5
Symantec	Veritas Cluster Server Management Console	5.5.1
Symantec	Veritas Cluster Server One	2.0
Symantec	Veritas Cluster Server One	2.0.1
Symantec	Veritas Cluster Server One	2.0.2
Symantec	Veritas Command Central Enterprise Reporter	5.0_ga
Symantec	Veritas Command Central Enterprise Reporter	5.0mp1
Symantec	Veritas Command Central Enterprise Reporter	5.0mp1rp1
Symantec	Veritas Command Central Enterprise Reporter	5.1
Symantec	Veritas Command Central Storage	4.x
Symantec	Veritas Command Central Storage	5.0
Symantec	Veritas Command Central Storage	5.1
Symantec	Veritas Command Central Storage Change Manager	5.0
Symantec	Veritas Command Central Storage Change Manager	5.1
Symantec	Veritas Micromeasure	5.0
Symantec	Veritas Netbackup Operations Manager	6.0_ga
Symantec	Veritas Netbackup Operations Manager	6.5.5
Symantec	Veritas Netbackup Reporter	6.0_ga
Symantec	Veritas Netbackup Reporter	6.6
Symantec	Veritas Storae Foundation	3.5_onwards
Symantec	Veritas Storage Foundation	3.5
Symantec	Veritas Storage Foundation Cluster File System	3.5
Symantec	Veritas Storage Foundation Cluster File System	4.0
Symantec	Veritas Storage Foundation Cluster File System	4.1
Symantec	Veritas Storage Foundation Cluster File System	5.0
Symantec	Veritas Storage Foundation Cluster File System For Oracle Rac	5.0
Symantec	Veritas Storage Foundation For Db2	4.1
Symantec	Veritas Storage Foundation For Db2	5.0
Symantec	Veritas Storage Foundation For High Availability	3.5
Symantec	Veritas Storage Foundation For Oracle	4.1
Symantec	Veritas Storage Foundation For Oracle	5.0
Symantec	Veritas Storage Foundation For Oracle	5.0.1
Symantec	Veritas Storage Foundation For Oracle Real Application Cluster	3.5
Symantec	Veritas Storage Foundation For Oracle Real Application Cluster	4.0
Symantec	Veritas Storage Foundation For Oracle Real Application Cluster	4.1
Symantec	Veritas Storage Foundation For Oracle Real Application Cluster	5.0
Symantec	Veritas Storage Foundation For Sybase	4.1
Symantec	Veritas Storage Foundation For Sybase	5.0

Showing 50 of 62 affected configurations. See NVD for the full list.

References

http://marc.info/?l=bugtraq&m=126046186917330&w=2Patch
http://secunia.com/advisories/37631Vendor Advisory
http://secunia.com/advisories/37637Vendor Advisory
http://secunia.com/advisories/37685Vendor Advisory
http://securitytracker.com/id?1023309
http://securitytracker.com/id?1023312
http://seer.entsupport.symantec.com/docs/336988.htmPatch, Vendor Advisory
http://seer.entsupport.symantec.com/docs/337279.htmPatch, Vendor Advisory
http://seer.entsupport.symantec.com/docs/337293.htmPatch, Vendor Advisory
http://seer.entsupport.symantec.com/docs/337392.htmPatch, Vendor Advisory
http://seer.entsupport.symantec.com/docs/337859.htmPatch, Vendor Advisory
http://seer.entsupport.symantec.com/docs/337930.htmPatch, Vendor Advisory
http://www.osvdb.org/60884
http://www.securityfocus.com/archive/1/508358/100/0/threaded
http://www.securityfocus.com/bid/37012
http://www.securitytracker.com/id?1023311
http://www.securitytracker.com/id?1023313
http://www.securitytracker.com/id?1023318
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091209_00
http://www.vupen.com/english/advisories/2009/3467Vendor Advisory
http://www.vupen.com/english/advisories/2009/3483Vendor Advisory
http://www.zerodayinitiative.com/advisories/ZDI-09-098/Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/54665
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7986
http://marc.info/?l=bugtraq&m=126046186917330&w=2Patch
http://secunia.com/advisories/37631Vendor Advisory
http://secunia.com/advisories/37637Vendor Advisory
http://secunia.com/advisories/37685Vendor Advisory
http://securitytracker.com/id?1023309
http://securitytracker.com/id?1023312
http://seer.entsupport.symantec.com/docs/336988.htmPatch, Vendor Advisory
http://seer.entsupport.symantec.com/docs/337279.htmPatch, Vendor Advisory
http://seer.entsupport.symantec.com/docs/337293.htmPatch, Vendor Advisory
http://seer.entsupport.symantec.com/docs/337392.htmPatch, Vendor Advisory
http://seer.entsupport.symantec.com/docs/337859.htmPatch, Vendor Advisory
http://seer.entsupport.symantec.com/docs/337930.htmPatch, Vendor Advisory
http://www.osvdb.org/60884
http://www.securityfocus.com/archive/1/508358/100/0/threaded
http://www.securityfocus.com/bid/37012
http://www.securitytracker.com/id?1023311
http://www.securitytracker.com/id?1023313
http://www.securitytracker.com/id?1023318
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091209_00
http://www.vupen.com/english/advisories/2009/3467Vendor Advisory
http://www.vupen.com/english/advisories/2009/3483Vendor Advisory
http://www.zerodayinitiative.com/advisories/ZDI-09-098/Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/54665
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7986

Timeline

Published: Dec 11, 2009
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2009-3027?

How severe is CVE-2009-3027?

Severity scoring for CVE-2009-3027 is pending analysis. The EPSS model estimates a 10.61% probability of exploitation in the next 30 days.

How do I fix CVE-2009-3027?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2009-3027?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST