Advisory ID: RBK-20240619-V0044
Severity: High
Reference: CVE-2024-36068
CVSS Score: 8.1
CVSS 3.0 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Action required: Upgrade CDM to 9.1.2-p1 (or later), 9.0.3-p6 (or later), or 8.1.3-p12 (or later)

Summary
Rubrik continues to enhance validation and security protocol testing to protect customers against unauthorized access to CDM with improved penetration testing and security reviews designed to uncover and address potential vulnerabilities. A recent internal security audit of CDM revealed a vulnerability with an internal service. Rubrik determined that a sophisticated attacker with local network access may be able to exploit the vulnerability to execute arbitrary code on CDM.

Impact Analysis
An attacker with access to a customer’s network and a sophisticated understanding of how to exploit the vulnerability could perform arbitrary operations and potentially execute arbitrary code.   The vulnerability was identified entirely through proactive internal testing and security reviews, and Rubrik is not aware of any public exploit or customers impacted by this CDM vulnerability. To protect and reduce the risk to our customers, specific details of the vulnerability are being withheld.

Am I Affected?
All CDM platforms running versions prior to 9.1.2-p1, 9.0.3-p6 and 8.1.3-p12 are impacted and must be upgraded to one of the latest available versions.

  • CDM versions: Prior to 9.1.2-p1, 9.0.3-p6 and 8.1.3-p12
  • Platforms:
    • All physical CDM platforms are affected (Rubrik and all third-party hardware)
    • All virtual CDM platforms are affected (e.g., Cloud Cluster, Edge, Air, etc.)

Cloud platforms and software are not impacted by the vulnerability.

Remediation
All clusters running any CDM version prior to 9.1.2-p1, 9.0.3-p6 and 8.1.3-p12, must be upgraded.

Customers perform the simple CDM upgrade from Rubrik Security Cloud (RSC). From the upper-right corner, click the Apps icon, select Settings, then select CDM Software Upgrades under the Clusters section.

Note:

  • Managed Service Provider (MSP) multi-tenant environments using Envoy with VMware workloads must upgrade to 9.1.2-p2, 9.0.3-p7, or 8.1.3-p13 (or later).