Notified:  December 09, 2015 Updated: March 28, 2016

Statement Date:   March 25, 2016

Status

Affected

Vendor Statement

We have reviewed the submission below and determined that its not an issue.The discovered issue is not applicable as the product port (http) is not meant to be used on an internet facing connection. Deployment of the product service is intranet only. The product is also in maintenance release only and has been for over a year. The port (http) is used to monitor running jobs. There is no sensitive data there and the discovered issue of a possible DDOS means the service would be unavailable at most (though this isn’t a internet deployed service as mentioned above.)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

The following points should be considered with respect to the above statement: • The Backburner Manager process is not an HTTP service. It is a command line interface that can be connected to directly (e.g. telnet). • Backburner Manager has been observed to listen on multiple ports, though in a default configuration, port 3234 is specified. • The manner in which Backburner is deployed almost certainly varies by user, regardless of the intentions of the vendor. Users should be aware that it permits the execution of arbitrary code by design (CVE-2007-4749). • The buffer overflow vulnerability (CVE-2016-2344) may be leveraged to terminate the Backburner service (a denial-of-service condition, not distributed). Code execution is possible, but does not grant any additional advantage to an attacker because of CVE-2007-4749.