VTS22-012

Hotfix for Security Advisory Impacting NetBackup Servers and Clients

Revision History

  • 1.0: End of September 2022 – Initial Public Release

Summary

Veritas has addressed vulnerabilities affecting NetBackup Primary and Media servers as well as Clients.

Issues

Issue #1: Path Traversal

The NetBackup Primary server is vulnerable to a Path traversal attack through the DiscoveryService service.

  • CVE ID: CVE-2022-42305
  • Severity: Medium
  • CVSS v3.1 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
  • Impacted Components: Primary Server, although fixes apply to Primary Server, Media Server and Clients. See recommended action below.
  • Affected Versions: 10.0.0.1 and earlier
  • Recommended action:
  • NetBackup Primary Servers, Media Servers, Clients: Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1 or 10.0.0.1 and apply appropriate Hotfix.
  • NetBackup Appliance: Upgrade to any Maintenance Release (MR) of 3.3.0.2 or 4.0.0.1 or 4.1.0.1 or 5.0.0.1 MR1 and apply appropriate Hotfix. Client Hotfix not applicable.
  • Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances. Client Hotfix not applicable.
  • Flex Scale: Please contact Veritas Technical Support and reference Knowledge Article ID 100053006 to obtain a fix.

Issue #2: XML External Entity Injection

  • The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.
  • CVE ID: CVE-2022-42307
  • Severity: Medium
  • CVSS v3.1 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
  • Impacted Components: Primary Server, although fixes apply to Primary Server, Media Server and Clients. See recommended action below.
  • Affected Versions: 10.0.0.1 and earlier
  • Recommended action:
    • NetBackup Primary Servers, Media Servers, Clients: Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1 or 10.0.0.1 and apply appropriate Hotfix.
    • NetBackup Appliance: Upgrade to any Maintenance Release (MR) of 3.3.0.2 or 4.0.0.1 or 4.1.0.1 or 5.0.0.1 MR1 and apply appropriate Hotfix. Client Hotfix not applicable.
    • Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances. Client Hotfix not applicable.
    • Flex Scale: Please contact Veritas Technical Support and reference Knowledge Article ID 100053006 to obtain a fix.

Issue #3: Denial of Service

The NetBackup Primary server is vulnerable to a denial of service attack through the DiscoveryService service.

  • CVE ID: CVE-2022-42299
  • Severity: Medium
  • CVSS v3.1 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
  • Impacted Components: Primary Server, although fixes apply to Primary Server, Media Server and Clients. See recommended action below.
  • Affected Versions: 10.0.0.1 and earlier
  • Recommended action:
    • NetBackup Primary Servers, Media Servers, Clients: Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1 or 10.0.0.1 and apply appropriate Hotfix.
    • NetBackup Appliance: Upgrade to any Maintenance Release (MR) of 3.3.0.2 or 4.0.0.1 or 4.1.0.1 or 5.0.0.1 MR1 and apply appropriate Hotfix. Client Hotfix not applicable.
    • Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances. Client Hotfix not applicable.
    • Flex Scale: Please contact Veritas Technical Support and reference Knowledge Article ID 100053006 to obtain a fix.

Notes

This Security Advisory, VTS22-012, also addresses the issues identified in VTS22-008 which was released earlier. If you have not already applied VTS22-008 it is not necessary to apply VTS22-008 first, simply apply VTS22-012. If you have already applied VTS22-008 you can safely apply VTS22-012 on top of it.

Questions 

For questions or problems regarding this advisory please contact Veritas Technical Support (https://www.veritas.com/support

Acknowledgement 

Veritas would like to thank the following Airbus Security Team members for notifying us about these issues:   
Mouad Abouhali, Benoît Camredon, Nicholas Devillers, Anaïs Gantet, and Jean-Romain Garnier.  

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. ANY FORWARD-LOOKING INDICATION OF PLANS FOR PRODUCTS IS PRELIMINARY AND ALL FUTURE RELEASE DATES ARE TENTATIVE AND ARE SUBJECT TO CHANGE. ANY FUTURE RELEASE OF THE PRODUCT OR PLANNED MODIFICATIONS TO PRODUCT CAPABILITY, FUNCTIONALITY, OR FEATURE ARE SUBJECT TO ONGOING EVALUATION BY VERITAS, AND MAY NOT BE IMPLEMENTED AND SHOULD NOT BE CONSIDERED FIRM COMMITMENTS BY VERITAS AND SHOULD NOT BE RELIED UPON IN MAKING DECISIONS.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054