Translation Notice
Please note that this content includes text that has been machine-translated from English. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.
NetBackup Appliances Hotfix - Apache struts vulnerability - CVE-2017-5638
Abstract
Description
CVE-2017-5638
Security Impact: High
NetBackup appliance release versions 2.5.x to 3.0 contain a vulnerability that allows remote attackers to execute arbitrary commands by using a #cmd= string, in a crafted Content-Type HTTP header.
Cause
The vulnerability has been identified in Apache Struts versions earlier than 2.3.32, which are used in NetBackup appliance release versions 2.5.x to 3.0.
Solution
Emergency Engineering Binaries (EEBs) to fix this vulnerability are available for the following NetBackup appliance release versions:
2.6.1.2, 2.7.1, 2.7.2, 2.7.3, 3.0
Apply the appropriate EEB for your version.
Before installing the EEB, note the following:
- To avoid an EEB installation failure, you must stop all NetBackup jobs before installing the EEB.
- This EEB must be installed on both the master server and all associated media server appliances.
- A reboot is not required after EEB installation.
- If you upgrade your appliance after installing this EEB, you must reinstall the EEB that is associated with the upgraded software version.
- Do not attempt to disable the web service on the appliance to alleviate this problem.
Veritas Technologies LLC is aware that the above-mentioned issue is present in the current version(s) of the product(s) mentioned in this article. Veritas is committed to product quality and satisfied customers.
The fix will be available in the upcoming release of the NetBackup Appliance.
Applies to the following product releases
Update files
|
|
File name | Description | Version | Platform | Size |
|---|