NetBackup and NetBackup OpsCenter:
- 7.5.0.7
- 7.6.0.4
- 7.6.1.2
- 7.7
- 7.7.2 (for backwards compatibility)
NetBackup Appliances:
- 2.5.4
- 2.6.0.4
- 2.6.1.2
- 2.7.2 (for backwards compatibility)
04-27-2016 08:30 AM
Just got notified of this - anyone implemented it yet?
https://www.veritas.com/content/support/en_US/security/VTS16-001.html
Veritas Technologies LLC has released Security Advisory VTS16-001 affecting all versions of NetBackup and NetBackup Appliances prior to 7.7.2/2.7.2 and announced hotfix availability for the following versions:
04-27-2016 08:55 AM
I'm still trying to download it. Looks like it bumps the minor version number of some of the clients...or at least the 7.5 series.
Also this seems to mark a change in how patches were available. Under Symantec they were out in the open. Now they're only available via the licenseing portal.
04-27-2016 09:22 AM
What are your thoughts on it. Yes, its a vulnerability but is it worth patching your entire environment including clients? Do see a risk internally?
04-27-2016 09:39 AM
Odd - the CVEs are still not posted to Mitre site.
04-27-2016 10:51 AM
Well..under 7.6.1.2 the patches break the Java Console (which I've been trying to use but still hate). Good thing the real Admin Console is still available in this version.
Java Console 7.6.1.2+patch connecting to 7.6.1.2 Master+patch = "failed to connect to NetBackup Service Layer"...and I've applied both the 7.7.2 KB articles without fix
Same Java Console connecting to different 7.6.1.2 Master without patch = "not trusted connection" that then works
So something at the Master level is broke..
04-27-2016 11:55 AM
Mitre was notified of the publication of the security advisory shortly after it was published Tuesday. Under the best of circumstances it takes several days once an advisory has been published for the CVE database to be populated. Unfortunately, slow turnaround of vulnerabilities at Mitre is a well-known problem.
04-27-2016 02:37 PM
Have you tried the steps in technotes attached to the FAQs document that report a similar error?
FAQ's link:
http://www.veritas.com/docs/000108248
Then the particular article:
https://www.veritas.com/support/en_US/article.000108224
04-27-2016 02:50 PM
That second article didn't exist this morning when I was looking for the error. I guess that's the problem with being an "early adopter" of hotfixes....
Yup, that was the problem...now why the EEB couldn't have run those same commands is anyone's guess.
04-27-2016 03:03 PM
I checked yesterday and I did see that document published. I think part of the issue with finding the technotes is that they are referenced in the "Related Documents" area in the HotFix technote and not in any of the other hotfix documents. They are searchable in the normal 'fashion' of things of course, but the only 'one stop shopping' is in that technote.
Hopefully this will help others also as there are a number of technotes linked there to address various issues people may encounter.
Deb
04-28-2016 03:05 AM
Just to cut it out in cardboard to every one else, you really want to patch for this vulnerability.
It got a CVSS2 Base Score of 9.7 out of 10 possible.
https://en.wikipedia.org/wiki/CVSS
04-28-2016 05:09 AM
Had to open a case with Veritas due to the Hot Fix not being available for download. As of this morning April 28th, I was able to download the files.
04-28-2016 10:47 AM
Thanks Debs for assisting.
05-05-2016 10:42 AM
I am having some issues with WIn 8 PC running Java Admin Console - the aptch fails to find the version file.
05-05-2016 08:32 PM
Not sure if I should start a new thread, hope this is a simple question.
On the FAQ page for this hotfix, it says:
12. If I upgrade to 7.7.2, do I need to install the hotfix on all 7.7.2 systems?
A. No. You only need to apply the 7.7.2 hotfix to 7.7.2 systems that are utilized to connect to back-level systems via the Java interface.
It sounds as if you only need to patch a host on which the Java Console is used to connect to a hotfix-patched-older-version of Netbackup (such as a hotfix-patched 7.6.1.2 media server or client).
Since you can't really launch the Java Console from the Appliance (you can connect to the Appliance with it), what is the 7.7.2 Hotfix for the Appliance file used for?
05-06-2016 04:53 AM
> what is the 7.7.2 Hotfix for the Appliance file used for?
Yes, that won't be of any use besides keeping it "identical" to a 7.7.2 patched NB non-appliance master.
05-08-2016 12:21 PM
Actually you CAN run the java console on the appliance by displaying it back to a windows type PC using XMing or something similar. It isn't very easy to configure (I found a lot of items I had to manually configure) and I can't imagine why anyone would want to do that when it's so easy just to set up the console on a PC, but it is possible.
05-08-2016 09:12 PM
That may be the only possible explanation for that 7.7.2 Appliance hotfix.
I used to do the same using Xmanager for Linux Clients running minimum setups (no GUI) just to play with the NetBackup BMR GUI.
I prefer to just say to people "For as long as all your Master servers, Media servers, Clients and Nbu Java Consoles are all on NetBackup 7.7.2, you don't need the hotfix."
05-09-2016 01:55 AM
05-09-2016 06:01 AM
found that on PC installs, you may need to use the -create option, to create needed files.
05-09-2016 09:11 AM
RLeon and netbackup.sme: The Hotfix FAQS document has been updated to help clarify the appliance fix.
It now states:
12. If I upgrade to 7.7.2, do I need to install the hotfix on all 7.7.2 systems?
A. No. You only need to apply the 7.7.2 hotfix to 7.7.2 systems that are utilized to connect to back-level systems via the Java interface. For 2.7.2 Appliances, the eebinstaller will update the Java console binaries and is only needed if the console is being remotely displayed.
Hopefully that helps to clarify.