Hotfix for Security Advisory Impacting NetBackup Java Admin Console
- 1.0 November 15, 2022 – Initial Public Release
- 1.1: November 18, 2022 – Added CVE ID
Veritas has addressed an OS Command Injection vulnerability affecting the NetBackup Java Admin Console. Please see the “Notes” section below to determine if you are vulnerable to this issue. Only users explicitly added to the auth.conf file can exploit this vulnerability.
OS Command Injection vulnerability
A vulnerability in the NetBackup Java Admin Console allows authenticated non-root users that have been explicitly added to the auth.conf file to execute arbitrary commands as root.
- CVE ID: CVE-2022-45461
- Severity: High
- CVSS v3.1 Base Score: 7.5 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- Potentially impacted components: Primary servers, Media servers, and Clients. (See Notes below).
- Recommended action:
- NetBackup: Upgrade to 8.2, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 10.0.0.1 or 10.1 and apply corresponding Hotfix
- NetBackup Appliance: Upgrade to 3.2, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52 or 184.108.40.206 MR1 and apply appropriate Hotfix.
- Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances.
- Flex Scale: Please contact Veritas Technical Support and reference Knowledge Article ID 100053006 to obtain a fix.
The /usr/openv/java/auth.conf file grants access to functions in the NetBackup Administration Console. This file is created by default with only root having administrative rights. This file is present on Primary Servers, Media Servers and Clients.
Unless auth.conf is modified by adding non-root users to it and allowing those users to manage Primary servers or Media servers or Clients, the environment is NOT vulnerable, and the fix is not required.
This affects only Unix-based servers and clients. Windows-based servers and clients are unaffected.
The fix updates the vulnerable bpjava binary on the target system that the Java Admin UI console connects to.
For more details about auth.conf please see: https://www.veritas.com/content/support/en_US/doc/21733320-149123528-0/v41641695-149123528
For questions or problems regarding this advisory please contact Veritas Technical Support (https://www.veritas.com/support)
Veritas would like to thank the Nordea Backup Team for reporting the issue to us.
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. ANY FORWARD-LOOKING INDICATION OF PLANS FOR PRODUCTS IS PRELIMINARY AND ALL FUTURE RELEASE DATES ARE TENTATIVE AND ARE SUBJECT TO CHANGE. ANY FUTURE RELEASE OF THE PRODUCT OR PLANNED MODIFICATIONS TO PRODUCT CAPABILITY, FUNCTIONALITY, OR FEATURE ARE SUBJECT TO ONGOING EVALUATION BY VERITAS, AND MAY NOT BE IMPLEMENTED AND SHOULD NOT BE CONSIDERED FIRM COMMITMENTS BY VERITAS AND SHOULD NOT BE RELIED UPON IN MAKING DECISIONS.
Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054