Avid Security Guidelines and Best Practices for Dealing with Virus Threats
<Back to search Results
Avid Knowledge Base
Avid Security Guidelines and Best Practices for Dealing with Virus Threats
Avid's security recommendations on the use of anti-virus software to deal with virus threats, and status on security bulletin and service pack qualifications to deal with virus threats


Last Updated : April 17, 2024
Products Affected :

What is Avid's policy regarding qualification of security bulletin updates and service packs?

What are Avid's recommendations regarding general network security and anti-virus software?


Avid Security Guidelines and Best Practices
Avid Endpoint Security Guidelines (updated February 26, 2024)
Includes information on endpoint security systems, including specific data on CrowdStrike Falcon.

Antivirus Support on Interplay and MediaCentral (updated March 19, 2020)
Includes information on general system security and antivirus solutions.
Note: Avid no longer qualifies its systems with traditional anti-virus applications.  See the Endpoint Security Guidelines (above) for more information on Avid's current qualification efforts.

Avid_MS_SecBulletin_Status_2024-04.pdf  
Includes information on monthly security updates for Microsoft Windows.
Older monthly bulletins are listed at the bottom of this page.

Follow this page to stay up to date on the latest information available from Avid.


For additional information on specific security threats, see the following:

November 15, 2023 Update
Apache ActiveMQ - Avid engineering has completed the investigation regarding Apache ActiveMQ.  The only product found to have an issue was MediaCentral | Production Management Media Indexer.  A patch for the Media Indexer was released (version 2023.7.1) and is available on the Avid Download Center/Avid MediaCentral LTM/Patches

Here is an updated list of Avid products tested:

image.png

November 6, 2023 Update
Apache ActiveMQ - here is a list of the Avid products that have been tested or are still under investigation:

image.png

statement from engineering regarding the Floating License Server:

Avid recommends ensuring that none of the impacted products be exposed to the internet. For the Floating License Server, Flexera has more information located here: https://community.flexera.com/t5/Revenera-Company-News/Security-Advisory-Revenera-s-Response-to-Apache-ActiveMQ/ba-p/297442/jump-to/first-unread-message



November 3, 2023 Update

Avid is aware of the current vulnerability in Apache ActiveMQ. The vulnerability may allow a remote attacker with network access to broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol.

We are performing a full investigation of our products to identify effected components.

A patch will be issued as soon as it is available.
Most organizations do not allow public access to the internet from their production environments. However, if this is not the case and your systems are exposed, you are at a higher risk for attack.  Currently, we recommend customers to follow best practices on securing their Avid deployments and not exposing resources directly to the internet.

Add link to our best practices

For additional from Apache ActiveMQ https://activemq.apache.org/news/cve-2023-46604

March 30, 2023 Update

Avid has concluded the investigation with Microsoft, who have verified the integrity of the Sibelius 2023.3.1 installer on Windows after Windows Defender falsely flagged the Sibelius 2023.3.0 installer. We're pleased to say the latest release of Sibelius passes through Microsoft’s latest version of Windows Defender, so ensure you have the latest version of the security intelligence installed before downloading Sibelius. For help checking this, please see https://www.microsoft.com/en-us/wdsi/defenderupdates

If you need further help, please also see our dedicated knowledgebase article:

https://kb.avid.com/pkb/articles/knowledge/False-positive-alert-from-Windows-Defender


March 21, 2023 Update

UPDATE: Sibelius 2023.3 Communication 
 
Good news.  On Sunday, March 19, 2023, Microsoft confirmed that the warning message that Microsoft Defender displayed when unzipping the Sibelius 2023.3 installer was a false positive and have MARKED IT SAFE in the latest security intelligence in Microsoft Defender. 
 
You are advised to update to Microsoft Defender version 1.385.456.0 and above. This is usually done automatically, but to check this, go to Windows Security > Virus & threat protection and click "Check for updates". 
 
Thank you for your patience while we investigated with Microsoft this weekend to clarify the validity of the warning and integrity of our installer.  We will keep you updated on any news as soon as we can.
 
If you have any concerns, please contact our support team who will be able to assist: https://www.avid.com/sibelius/learn-and-support 
 


March 13, 2023 Update

On February 6, 2023 Avid became aware of the attack campaign which is targeting VMWare ESXi hypervisors. Suspected aim of the campaign is to deploy ransomware on to VMWare ESXi systems.

An authoritative source https://cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/  also made an announcement.
The description of the infiltration point suspected to be used by malicious actors is covered in CVE-2021-21974.

Avid has completed its investigation and found that no Avid software is affected.

If your site uses VMWare please ensure you are following the best practices and procedures to ensure that if you have Avid software running in a VMWare environment you will not have any vulnerabilities.
  
Patch for for CVE-2021-21974 has been available since February 23, 2021.
This vulnerability affects the Service Location Protocol ( SLP ) service and allows a attacker to remotely exploit arbitrary code.
 
As it comes from the list of versions being affected by the CVE-2021-21974, VMWare ESXi systems not only of versions 6.x and prior to 6.7, but, the following:

  • ESXi 7.x versions earlier than ESXi70U1c-17325551
  • ESXi versions 6.7.x earlier than ESXi670-202102401-SG
  • ESXi versions 6.5.x earlier than ESXi650-202102101-SG

It is recommended to apply a workaround published by the VMWare ESXi vendor by the link: https://kb.vmware.com/s/article/76372
which is intended to prevent CIM clients from locating CIM servers through the SLP service.

Since this activity is considered as a workaround, it is highly recommended to update VMWare ESXi by applying all patches available from the vendor. More details may be discovered from vendor's security announcement: https://www.vmware.com/security/advisories/VMSA-2021-0002.html
 
Also, alongside with applying the patch it is recommended to perform security analysis over VMWare ESXi instance and search for signs of potential compromise.



October 28, 2022 Update
Avid has closed the investigation the CVE-2022-42889 (Text4shell) issue and no Avid products were found to have this vulnerability.


May 6, 2022 Update:
Avid has concluded its investigation of the SpringShell Zero Day vulnerability.  FlexNet Device Manager is the only Avid product that is affected by this vulnerability. To mitigate the impact, Avid recommends that you isolate this server from the internet.

For details on this process, see the following Avid Knowledge Base article:
https://kb.avid.com/pkb/articles/en_US/how_to/How-to-Restrict-Web-Access-to-the-Admin-Console-for-the-FLS

For more information, see the “FlexNet Device Manager for Avid Administration Guide” at:
https://kb.avid.com/pkb/articles/en_US/user_guide/Media-Composer-Documentation-Links 

For more information on the SpringShell Zero Day vulnerability, see the following link:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#status


March 2022 Update:
Avid MediaCentral | Cloud UX security update/patch CVE-2021-4034 released on March 30th.
The Severity on this issue is high and this is considered a mandatory patch.

You can find the details of this issue and the installation instructions on the readme here:
MediaCentral Cloud UX CVE-2021-4034 ReadMe


December 2021 Update:
Avid is aware of the recently reported Apache Log4j RCE vulnerability.
CVE-2021-44228 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Please review the following document for more information, and follow Avid Best Practices for isolating your Avid systems from the internet.
Avid_Technology_Log4j_Assessment.pdf  (updated February 9, 2022)


December 2018 Update:
Kubernetes (https://kubernetes.io/) has identified an issue where unauthorized users can gain access to a system running the Kubernetes software.

MediaCentral Cloud UX v2018.6 and higher uses Kubernetes and could potentially be affected.

For customers adhering to Avid security recommendations and best practices, Avid believes that the threat is low. Avid recommends that customer production environments remain non-public in a separate domain, or otherwise isolated from external public access. In accordance with Avid’s current security guidelines, Avid strongly recommends that all users who require remote access to MediaCentral Cloud UX connect through a VPN. 

Details on the vulnerability are provided here: https://github.com/kubernetes/kubernetes/issues/71411

MediaCentral Cloud UX v2020.4 and later include versions of Kubernetes that resolve this issue. If you are running an older version of MediaCentral Cloud UX, Avid recommends that you upgrade to the latest version available to implement this and other important security updates.
 

March 2018 Update:
Avid has tested the latest available operating system updates related to the recently identified “Meltdown” and “Spectre” vulnerabilities. We will continue to test additional security patches on this topic, as they become available. Security patches will be deemed qualified by Avid when testing confirms that the patches do not cause the Avid product to become inoperable. Note that installing the following operating system and BIOS updates might cause a performance degradation in certain Avid products as further described below. 
 
Available Security Updates

The available Meltdown and Spectre security patches include the following:

  • Windows OS security updates – available via the January 3rd Windows Update package
  • Mac OS X security updates – available through Apple updates
  • RedHat Enterprise Linux v6.5 – available as a download from the RedHat website

The security updates listed above are the only ones qualified by Avid at this time.

Note: If you are patching an Avid MediaCentral Platform Services server, you must download an Avid software patch in addition to certain RedHat update files. Avid does not support installing RedHat updates on the MediaCentral server without the Avid patch. For additional information, see Avid MediaCentral Platform Services (MediaCentral UX) below.

In addition, BIOS updates from the hardware vendors might also be required. Note that BIOS updates are not yet available for AS3000 systems.

Linux OS Based Updates

Some products running on Linux-based operating systems such as Red Hat and CentOS have not been tested as security updates for these versions of the operating system are not yet available. This means that testing for such products will not occur until the Linux OS patches are available. The following lists the Linux-based Avid applications:

  • MediaCentral Platform Services (see below)
  • MediaCentral | Cloud UX
  • Avid | ISIS - Linux Client
  • Avid NEXIS - Linux Client
  • Maestro Graphics Core
  • Avid iNEWS Server

Avid Proprietary Systems

Some Avid systems include custom software components which could require a re-release of the software by Avid. We will provide updates on this page as soon as they are available.

  • Avid NEXIS - System Director
  • Avid NEXIS - Storage Manager
  • Avid FastServe (Playmaker)
  • Avid ISIS System Director - BIOS only
  • Avid ISIS 5000 - BIOS only
Avid MediaCentral Platform Services (MediaCentral UX)

(March 2, 2018) A patch is now available for currently supported versions of Avid MediaCentral Platform Services. For more information on this update, click on the link to your version of software under the MediaCentral UX Documentation page and reference the MediaCentral Security Patch ReadMe.

Testing Results for Mac and Windows OS Systems

This section applies to the Microsoft January 3rd Update package and available Mac OS updates. 

Avid has tested the available Mac and Windows OS updates across the majority of the Avid product line and has determined that there is no loss in functionality after applying the updates.

Avid does see a performance impact ranging from 0 to 20% on applications with high I/O usage. Avid’s observations are consistent with performance guidance given by Microsoft, example quoted below:

Enabling these mitigations may affect performance. The actual performance impact will depend on multiple factors, such as the specific chipset in your physical host and the workloads that are running. Microsoft recommends that customers assess the performance impact for their environment and make necessary adjustments.”

See: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

For additional information on performance impacts as characterized by Microsoft, see the following article:

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

Note that in order to benefit from the security updates you must perform the following related tasks. The sections at the end of this report provide additional information.

  1. Update your antivirus solution to prepare for the security update installation.
  2. Apply the Windows and Mac security updates.
  3. Enable registry key changes on Windows Server operating systems to enable the security fixes.

We anticipate additional patches including BIOS updates and will continue to monitor their availability. This will include patches for Linux RedHat and BIOS updates for AS3000 systems.

While Avid recommends that you wait until security updates are qualified, Avid recognizes that customers may wish to install the latest security update that may be available for their operating systems and hardware before Avid’s test period is complete. If a security update results in an issue in your production environment, Avid will make reasonable efforts to assist you in diagnosing the problem under the terms of your current support agreement.

AntiVirus Updates

  • The Microsoft security updates released in January, 2018 require antivirus vendors to enable a registry key to support the new updates.

For more information, see https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software.

  • Avid supports Symantec Endpoint v14.0 and v12.1. On January 4th Symantec issued a patch for Symantec™ Endpoint v14.0 and v12.1 that includes the registry key required by Microsoft. Customers running Symantec Endpoint Protection must run Symantec LiveUpdate to download and install the patch before installing the January, 2018 Microsoft security updates.

For more information, see the following links to the Symantec support site: https://support.symantec.com/en_US/article.INFO4793.html and https://support.symantec.com/en_US/article.INFO4797.html.  

Updating Windows Systems 

  • If you are running a version of the Windows Server operating system, installing the security updates is only the first step in the process. After installing the updates, you must complete a series of manual updates to the operating system’s registry as described in the following article:

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

  • For additional information on other versions of the Windows operating system including Windows 7, Windows 10, and more, see the following link to the Microsoft website:

https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown

Updating Mac Systems

  • Security updates are available for the Mac operating system.

For more information, see https://support.apple.com/en-us/HT208394 and https://support.apple.com/en-us/HT201222.


May 2017 Update:
The ransomware or malware virus referred to as WannaCryptAT or "Wanna Cry" was addressed with Microsoft update ms17-010. This patch was approved in the March 21st , 2017 Security Bulletin.
 

Additional Security Bulletins 

Refer to the following documents for information about the qualification status of Microsoft’s monthly security bulletins:

Avid_MS_SecBulletin_Status_2024-03.pdf  
Avid_MS_SecBulletin_Status_2024-02.pdf  
Avid_MS_SecBulletin_Status_2024-01.pdf  
Avid_MS_SecBulletin_Status_2023-12.pdf  
Avid_MS_SecBulletin_Status_2023-11.pdf
Avid_MS_SecBulletin_Status_2023-10.pdf  
Avid_MS_SecBulletin_Status_2023-09.pdf  
Avid_MS_SecBulletin_Status_2023-08.pdf  
Avid_MS_SecBulletin_Status_2023-07.pdf  
Avid_MS_SecBulletin_Status_2023-06.pdf 
Avid_MS_SecBulletin_Status_2023-05.pdf  
Avid_MS_SecBulletin_Status_2023-04.pdf  

 Attachment(s)

How do you rate this document?
(Average Rating: No Rating)
Searching criteria
Your question typed:
Filters : All Filters
Products : All Products
Types of documents : All Types of Documents
Document Audience
Filters :
Products :
Categories : All