Impact of CVE-2014-6271 ("Shell Shock") and associated CVEs on NetBackup and NetBackup Appliances

Problem

Document history:
September 25, 2014: Initial publication
September 26, 2014: Revised to include additional information
September 30, 2014: Revised to include additional information
October 3, 2014: Updated with new information
October 6, 2014: Updated with Appliances hotfixes
October 7, 2014: Updated with link to additional hotfix instructions
October 14, 2014: Updated with additional hotfix for an EOSL product
November 13, 2014: Updated with additional information on Appliance upgrade paths
September 1, 2015: Removed public access to hotfixes - please upgrade to mitigate this issue

The purpose of this document is to define the impact of Shell Shock or bash bug "CVE-2014-6271" and newer bugs such as "CVE-2014-7169" and "CVE-2014-6278" on NetBackup and NetBackup Appliances.

Disclaimer: Some information contained in this document is forward looking and as such does not represent a commitment.
Any information regarding pre-release Veritas offerings, future updates or other planned modifications are subject to on-going evaluation by Veritas and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Veritas offerings should make their purchase decision based upon features that are currently available.

Solution

1. Which versions of bash does this vulnerability affect?

bash version 4.3 and earlier on all Linux and Unix Operating Systems are affected.

2. Is there an impact to NetBackup software?

No.  NetBackup software is not affected by this vulnerability.

Note: This includes all OpsCenter software including OpsCenter Analytics.  They are also not affected.

3. Is there an impact to NetBackup Appliances?

NetBackup Appliances do ship containing an older, affected version of bash. Thus, they are potentially impacted.

With Critical System Prevention (CSP) technology enabled, all Appliance software versions 2.6.0.2 or higher are only minimally impacted. 
Note: By default, CSP technology is enabled on these versions.

All Appliance software versions prior to 2.6.0.2 are potentially impacted.

4. Is there an impact to IPMI interfaces?

Veritas and Intel are working together to investigate.

5. Which versions of NetBackup & NetBackup Appliances are impacted by this vulnerability?

6. In which release will this issue be resolved?

NetBackup software: The bash in the NetBackup vCenter Plugin (VCP) is not exploitable but will be patched in a future release to avoid possible false positives triggered by detection in scanners.

NetBackup Appliances: Patches to update these issues are included in NetBackup Appliances 2.6.0.4 and 2.6.1.  Hotfixes for earlier versions are attached to this document.  Instructions for applying this hotfix can be found in the Related Article linked below.  Note: The "2.6.0.1" RPM may be applied to any 2.6.0.x Appliance (2.6.0.1, 2.6.0.2 or 2.6.0.3).

Note: These hotfixes are no longer publicly available, as their fixes are included in the releases mentioned above. If this issue is experienced, the supported resolution is to upgrade to the latest version.

Deduplication Appliances: A fix for this vulnerability is targeted for inclusion in Deduplication Appliances 1.4.5.  A hotfix for 1.4.4 is attached to this document.  This hotfix includes a README containing installation instructions.

Note: This hotfix is no longer publicly available, as its fixes are included in the 1.4.5 release update. If this issue is experienced, the supported resolution is to upgrade to the latest version.

PLEASE NOTE!  After this hotfix has been installed on an Appliance, rollback is not supported.  In addition, if a 2.5.x hotfix is installed on an Appliance, a future upgrade to 2.5.4 will not be possible; only an upgrade to 2.6.0.x will be possible.  If there are plans to upgrade an affected Appliance to 2.5.4, the hotfix should not be applied until after the upgrade, when the 2.5.4 hotfix should be applied.

Once a 2.6.0.x hotfix has been applied, it does not need to be reapplied even if upgrading to another affected 2.6.0.x - for example, if the hotfix is applied to an Appliance at 2.6.0.1, and the Appliance is later upgraded to 2.6.0.3, the hotfix will still be installed on the Appliance and thus will not need to be reinstalled.

However, if a 2.5.x hotfix is applied and the Appliance is later upgraded to an affected 2.6.0.x version, the 2.6.0.x (2.6.0.1) EEB must be applied after the upgrade - unless it is upgraded to 2.6.0.4 or above.

If the Appliance is upgraded to 2.6.0.4 or later, a hotfix will not be required as these versions will already contain an updated bash which is not affected by these vulnerabilities.

NetBackup Appliances 2.6.0.4 is now available - download and README information can be found in the Related Article linked below.

As always, Veritas Corporation always recommends running NetBackup environments using the latest available version whenever possible.

7. If I have additional concerns, who can I contact?

You may contact your Veritas authorized reseller/partner or Veritas technical support.

Please use the Subscribe via email link on this page to receive email notifications as this document is updated and hotfixes are supplied.

Reference:
More information on these vulnerabilities can be found at the National Vulnerability Database at these links:
 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278