Security Impact: High
NetBackup appliance release versions 2.5.x to 3.0 contain a vulnerability that allows remote attackers to execute arbitrary commands by using a #cmd= string, in a crafted Content-Type HTTP header.
CauseThe vulnerability has been identified in Apache Struts versions earlier than 2.3.32, which are used in NetBackup appliance release versions 2.5.x to 3.0.
Emergency Engineering Binaries (EEBs) to fix this vulnerability are available for the following NetBackup appliance release versions:
184.108.40.206, 2.7.1, 2.7.2, 2.7.3, 3.0
Apply the appropriate EEB for your version.
Before installing the EEB, note the following:
- To avoid an EEB installation failure, you must stop all NetBackup jobs before installing the EEB.
- This EEB must be installed on both the master server and all associated media server appliances.
- A reboot is not required after EEB installation.
- If you upgrade your appliance after installing this EEB, you must reinstall the EEB that is associated with the upgraded software version.
- Do not attempt to disable the web service on the appliance to alleviate this problem.
For instructions on installing EEBs, refer to article number 000076512 by clicking the Related Articles link on this page.
Veritas Technologies LLC is aware that the above-mentioned issue is present in the current version(s) of the product(s) mentioned in this article. Veritas is committed to product quality and satisfied customers.
- The fix will be available in the upcoming release of the NetBackup Appliance.
Related Knowledge Base Articles
Was this content helpful?
Rating submitted. Please provide additional feedback (optional):