Remote Code Execution Vulnerability Impacting NetBackup Servers and Clients
- 1.0: July 18, 2023 – Initial Public Release
Veritas has addressed a remote code execution (RCE) vulnerability impacting NetBackup servers and clients.
Remote Code Execution
The NetBackup BPCD process inadequately validates the file path allowing an unauthenticated attacker to upload and execute a custom file.
- CVE ID: To be announced.
- Severity: Critical
- CVSS v3.1 Base Score: 9.8: ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H )
- Affected Product & Version:
- NetBackup primary server, media server, and clients – prior to 8.1.2
- NetBackup Appliance – prior to 3.1.2
- Recommended action:
- For NetBackup: If you are on a version prior to 8.1.2, upgrade to 18.104.22.168 or later. If you are currently on 8.1.2 or later no action is required.
- For NetBackup Appliance: If you are on a version prior to 3.1.2, upgrade to version 22.214.171.124 MR2 or later. If you are currently on 3.1.2 or later no action is required.
For questions or problems regarding this vulnerability please contact Veritas Technical Support (https://www.veritas.com/support)
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. ANY FORWARD-LOOKING INDICATION OF PLANS FOR PRODUCTS IS PRELIMINARY AND ALL FUTURE RELEASE DATES ARE TENTATIVE AND ARE SUBJECT TO CHANGE. ANY FUTURE RELEASE OF THE PRODUCT OR PLANNED MODIFICATIONS TO PRODUCT CAPABILITY, FUNCTIONALITY, OR FEATURE ARE SUBJECT TO ONGOING EVALUATION BY VERITAS, AND MAY NOT BE IMPLEMENTED AND SHOULD NOT BE CONSIDERED FIRM COMMITMENTS BY VERITAS AND SHOULD NOT BE RELIED UPON IN MAKING DECISIONS.
Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054