Sign In
Forgot Password

Don’t have an account? Create One.

Remote Code Execution vulnerability (article 100000481)

HotFix Critical

Abstract

Security Enhancements to prevent Remote Code Execution vulnerability in NetBackup appliances (article 100000481)

Description

Unauthenticated users can execute arbitrary commands as root.


CVE ID: CVE-2017-8859

Severity: Critical

CVSS v3 Base Score: 9.8


Remote Code Execution (RCE) allows an unauthenticated attacker to gain remote access through the NetBackup Appliance Web Console.

As a root user, an attacker can use a combination of special characters to execute commands on the underlying operating system, which calls the internal scripts.


This patch contains security enhancements to prevent RCE vulnerability in NetBackup appliances, along with the fix for CVE-2016-7399


Note: This vulnerability does not affect NetBackup software or OpsCenter.


Action Required

Emergency Engineering Binaries (EEBs) are available for these security enhancements for the following NetBackup appliance release versions:


2.7.3, 3.0

NetBackup Appliance release 3.1 includes the fix for this vulnerability.


Apply the appropriate EEB for your version.

Update files

File name Description Version Platform Size

Applies to the following product releases