Sign In
Forgot Password

Don’t have an account? Create One.

NetBackup Appliances Hotfix - Apache struts vulnerability - CVE-2017-5638





Security Impact: High 

NetBackup appliance release versions 2.5.x to 3.0 contain a vulnerability that allows remote attackers to execute arbitrary commands by using a #cmd= string, in a crafted Content-Type HTTP header. 

Read me


The vulnerability has been identified in Apache Struts versions earlier than 2.3.32, which are used in NetBackup appliance release versions 2.5.x to 3.0.


Emergency Engineering Binaries (EEBs) to fix this vulnerability are available for the following NetBackup appliance release versions:

     , 2.7.1, 2.7.2, 2.7.3, 3.0

Apply the appropriate EEB for your version.

Before installing the EEB, note the following:

  • To avoid an EEB installation failure, you must stop all NetBackup jobs before installing the EEB.
  • This EEB must be installed on both the master server and all associated media server appliances.
  • A reboot is not required after EEB installation.
  • If you upgrade your appliance after installing this EEB, you must reinstall the EEB that is associated with the upgraded software version.
  • Do not attempt to disable the web service on the appliance to alleviate this problem.


Veritas Technologies LLC is aware that the above-mentioned issue is present in the current version(s) of the product(s) mentioned in this article. Veritas is committed to product quality and satisfied customers. 

The fix will be available in the upcoming release of the NetBackup Appliance.

Update files

File name Description Version Platform Size

Applies to the following product releases