Impact of Spring4Shell vulnerability (CVE-2022-22965) on NetBackup Flex Appliances

Impact of Spring4Shell vulnerability (CVE-2022-22965) on NetBackup Flex Appliances

Article: 100052862
Last Published: 2022-05-10
Ratings: 3 0
Product(s): Appliances

Description

Recently a zero-day vulnerability was reported in the popular open-source Java framework, Spring, that could allow an attacker to execute arbitrary code on a remote web server. Veritas has concluded that NetBackup Flex Appliances are impacted. Please see the table below for remediation steps.

NetBackup Flex version

Remediation

2.1

(1) Download 2.1 hotfix here 

(2) Install hotfix

2.0.2

(1) Download 2.0.2 hotfix here 

(2) Install hotfix

1.3.x/2.0/2.0.1

(1) Upgrade to 2.1 here

(2) Download hotfix here 

(3) Install hotfix 

 

The Flex 2.1 Hotfix includes

  • Fix for Spring4Shell Vulnerability (CVE-2022-22965) 
  • Fix for HBA QLE2692 false alert that the temperature is high (V-475-105-1005) 
  • Previously released fix for Log4j and Polkit vulnerabilities (VE-2021-44228, CVE-2021-45046 and CVE-2021-4034) 
  • Previously released fix for enabling Isolated Recovery Environment (IRE) Air Gap Solution 

The Flex 2.0.2 Hotfix includes

  • Fix for Spring4Shell Vulnerability (CVE-2022-22965) 
  • Previously released fix for Log4j and Polkit vulnerabilities (VE-2021-44228, CVE-2021-45046 and CVE-2021-4034)

It is not required to uninstall the previously released fixes.

Note the following:

  • If a node in the appliance is factory reset or reimaged, the version-specific hotfix must be applied on that node immediately after it is added back to the appliance and updated to the appliance.
  • If an appliance is upgraded to any of the versions mentioned in the previous table, the version-specific hotfix must be applied on all nodes in the appliance after you commit the upgrade.

Special Note for Flex 2.1 relating to Air Gap 

In the case of appliance recovery, first install the 2.1 hotfix (which has IRE Air Gap capability) and then start WORM storage server instances to retain the filtering rules that were in effect before the factory reset or the reimage.

 

Disclaimer 

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. 

Was this content helpful?