Revision History

  • 1.0: April 01, 2022: Initial version
  • 2.0: April 08, 2022: Added Access BYOS and InfoScale VEA as not vulnerable
  • 3.0: April 22, 2022: Added Multiple Appliance Products with Remediation recommendations

Summary

The Spring Framework Remote Code Execution vulnerability via Data Binding on JDK 9+ (CVE-2022-22965) has been identified in multiple Veritas Appliance Products. The following Veritas products are impacted:

Product Vulnerable Versions Fixed Versions CVE ID Remediation

Access Appliance

7.4.3/7.4.3.100/7.4.3.200

7.4.3.300

To be announced

Article 100052919

Flex Appliance

1.3.x, 2.0, 2.0.1, 2.0.2, 2.1

2.0.2 w/ Hotfix
2.1 w/ Hotfix

To be announced

Article 100052862

NetBackup Appliance/
NetBackup Virtual Appliance

4.0/4.0.0.1 MR1/4.0.0.1 MR2
4.0.0.1 MR3
4.1/4.1.0.1 MR1
4.1.0.1 MR2

4.0.0.1 MR3 w/ Hotfix
4.1.0.1 MR2 w/ Hotfix
5.0

To be announced

Article 100052910

NetBackup Flex Scale Appliance

2.1, 3.0

2.1 Hotfix
3.0 Hotfix

To be announced

Article 100052911

Issue

The above Veritas products include Spring Framework applications running on java JDK 9 and may be vulnerable to remote code execution (RCE) via data binding.

Severity: Critical
CVSS v3.1 Base Score 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

The Spring Framework vulnerability is due to Improper Neutralization of Special Elements used in an OS Command (CWE-78) which allows an attacker to load an arbitrary malicious class, resulting in a possible malicious code execution on the server.

Remediation

Customers under a current maintenance/support contract should update to one of the Fixed Versions identified in the table above.

Non-Impacted Veritas Products

The following Veritas products include the Spring Framework, however, based on the information that is currently available, these Veritas products to not appear to be exploitable by this vulnerability. Veritas will update this communication if there are any changes in this respect.

Product Vulnerable Comments

Access Appliance 7.4.2.x

No

Does not use JDK >= 9

CloudPoint

No

Does not use JDK >= 9

Data Insight

No

Does not use JDK >= 9

eDiscovery

No

Does not use JDK >= 9

NetBackup

No

Does not use JDK >= 9

NetBackup Appliance 3.x

No

Does not use JDK >= 9

NetBackup Appliance 5.x

No

Uses Spring Framework 5.3.18

NetBackup Virtual Appliance 3.x

No

Does not use JDK >= 9

NetBackup Virtual Appliance 5.x

No

Uses Spring Framework 5.3.18

NetBackup IT Analytics (Previously APTARE)

No

Does not distribute Spring in a WAR file

NetBackup OpCenter

No

Does not use JDK >= 9

Veritas InfoScale Operations Manager (VIOM)

No

Does not use JDK >= 9

Veritas Recovery Platform (VRP)

No

Does not use JDK >= 9

The following Veritas products do not include the Spring Framework, and are not impacted by this vulnerability:

  • Access BYOS
  • Appliance Management Server (AMS)
  • Backup Exec
  • Desktop Laptop Option
  • Enterprise Vault
  • Enterprise Vault.cloud
  • InfoScale core stack (VCS / VM / FS)
  • InfoScale Veritas Enterprise Administrator (VEA)
  • NetBackup Recovery Vault
  • NetBackup SaaS Protection
  • Merge1
  • Quick Assist
  • Veritas Advanced Supervision
  • Veritas System Recovery (VSR)

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support)

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054