download-documentUnavailable

Unauthenticated users can execute arbitrary commands as root.

CVE ID: CVE-2017-8859

Severity: Critical

CVSS v3 Base Score: 9.8

Remote Code Execution (RCE) allows an unauthenticated attacker to gain remote access through the NetBackup Appliance Web Console.

As a root user, an attacker can use a combination of special characters to execute commands on the underlying operating system, which calls the internal scripts.

This patch contains security enhancements to prevent RCE vulnerability in NetBackup appliances, along with the fix for CVE-2016-7399

Note: This vulnerability does not affect NetBackup software or OpsCenter.

Action Required

Emergency Engineering Binaries (EEBs) are available for these security enhancements for the following NetBackup appliance release versions:

2.7.3, 3.0

NetBackup Appliance release 3.1 includes the fix for this vulnerability.

Apply the appropriate EEB for your version.

Before installing the EEB, note the following:

• This EEB is a superset of the EEB mentioned in the following article for CVE-2016-7399, since this EEB also includes that fix.
• To avoid an EEB installation failure, you must stop all NetBackup jobs before installation.
• This EEB must be installed on both the master server and all associated media server appliances.
• A reboot is not required after EEB installation.
• If you upgrade your appliance after installing this EEB, you must reinstall the EEB that is associated with the upgraded software version.
• Do not attempt to prevent any RCE vulnerability by disabling the web service on the appliance.