Information about Arcserve UDP vulnerability (CVE-2018-18657,CVE-2018-18658,CVE-2018-18659,CVE-2018-18660)

Thank you for using NTT Communications Enterprise Cloud 2.0 (ECL2.0) service.

This is an important notification for Enterprise Cloud 2.0 Services re: security vulnerabilities about Arcserve UDP(CVE-2018-18657,CVE-2018-18658,CVE-2018-18659,CVE-2018-18660).

We highly recommend to take countermeasures for customers who are using functionalities which is affected. For details please refer to the following information.

Specified vulnerability

・ Unauthenticated Sensitive Information Disclosure
CVE-2018-18657 – DDI-VRT-2018-18
CVE-2018-18658 – DDI-VRT-2018-20

・ Unauthenticated XXE
CVE-2018-18659 – DDI-VRT-2018-19

・Reflected Cross-site Scripting
CVE-2018-18660 – DDI-VRT-2018-21

■Object version

Arcserve UDP 6.5 Update 4
Arcserve UDP 6.5 Update 3

■Functionalities which is affected

UDP console
UDP gateway

※Restoration Point Server(RPS) and UDP Windows/Linux/ Agent are not affected.


It is necessary to apply the following modification modules,

・Modification module
P00001478 for UDP 6.5 Update4
P00001480 for UDP 6.5 Update3

■Procedure to apply modification modules

<UDP console>

・UDP 6.5 Update4: Unzip  and apply P00001478.exe

・UDP 6.5 Update3: Unzip and apply P00001478.exe

<UDP gateway>

1. Stop the Arcserve Remote Management Gateway Service
2. Go to C:\Program Files\Arcserve\Unified Data Protection\Gateway\TOMCAT\webapps\gateway\WEB-INF
3. Remove the “classes” folder if there is one. It’s not there by default. If the folder is exist, you can move it to another place to backup it.
4. Go to C:\Program Files\Arcserve\Unified Data Protection\Gateway.
5, Unzip the fix –, and then copy all files and folds from folder “GatewayManuallyPatch\Unified Data Protection\Gateway” to folder “C:\Program Files\Arcserve\Unified Data Protection\Gateway”
6. Start the Arcserve Remote Management Gateway Service.

Customers who decide to use P00001480, because they want to momentarily remain on version 6.5 update 3 must remember that the v6.5 update 4 package would later overwrite these fixes for the security vulnerabilities, and hence right after upgrading from v6.5 update 3 + P00001480 to v6.5 update 4, they would have then also have to apply P00001478.
Recommendation from Arcserve for any customer on v6.5 update 3 just now is to move directly to update 4 at the earliest opportunity, and then apply P00001478.


For details, please refer to the following link below.(Arcserve)