VTS23-013
Curl and Libcurl notification (CVE-2023-38545 and CVE-2023-38546)
Revision History
- 1.0: October 12, 2023: Initial version
- 1.1 October 20, 2023: Interim update
- 1.2 November 6, 2023: Interim update
- 1.3 November 28, 2023: Interim update
- 1.4 December 05, 2023: Interim update
- 1.5 December 18, 2023: Interim udpate
- 1.6 January 22, 2024: Interim update
Products: See below status.
Summary
Veritas is aware of the recently announced high severity vulnerability in curl and libcurl (CVE-2023-38545). All Veritas Product Security and Development teams are completing the assessment of any impact of Veritas products.
Current vulnerability status for CVE-2023-38545 and CVE-2023-38546:
Veritas Product | Status |
---|---|
Access Appliance |
Impacted – Low Risk (Only impacted if Veritas Data Duplication is configured or NBU client is configured) *See NetBackup and Appliance Guidance Below |
Alta Archiving |
Not Vulnerable |
Alta Backup as a Service |
Not Vulnerable |
Alta Capture |
Not Vulnerable |
Alta Data Protection |
Not Vulnerable |
Alta Discovery |
Not Vulnerable |
Alta Recovery Vault |
Not Vulnerable |
Alta SaaS Protection |
Not Vulnerable |
Alta Surveillance |
Not Vulnerable |
Alta View |
Not Vulnerable |
Backup Exec |
Not Vulnerable |
Data Insight |
Not Vulnerable |
Desktop and Laptop Option |
Impacted. Update to version 9.8.3 from Download Center |
eDiscovery Platform |
Not Vulnerable |
Enterprise Vault |
Under Investigation |
InfoScale |
Not Vulnerable |
Merge1 |
Not Vulnerable |
NetBackup |
Impacted – Low Risk |
NetBackup Appliance |
Impacted – Low Risk |
NetBackup Flex Appliance |
Impacted – Low Risk |
NetBackup Flex Scale |
Impacted – Low Risk |
NetBackup IT Analytics |
Not Vulnerable |
NetBackup OpsCenter |
Not Vulnerable |
NetBackup Quick Assist |
Not Vulnerable |
NetBackup Resiliency Platform |
Not Vulnerable |
NetBackup Self Service |
Not Vulnerable |
NetBackup Snapshot Manager |
Low Risk – **See NetBackup Snaphot Manager Notes below |
System Health Insights |
Not Vulnerable |
Veritas Advanced Supervision |
Not Vulnerable |
Veritas InfoScale Operations Manager (VIOM) |
Not Vulnerable |
Veritas System Recovery |
Impacted. Update to version 23.2 from Download Center |
*NetBackup and Appliance Guidance:
Veritas NetBackup considers CVE-2023-38545 to be very low risk for customers. Customers can continue to use existing NetBackup versions. It is recommended that Customers who are concerned that they might meet the vulnerable conditions below upgrade to NetBackup 10.1.1 or above and then install the applicable EEB to address the issue.
NetBackup’s default settings do not use socks5h protocol.
To exploit this vulnerability, attacker needs to be able to:
- control SERVER entries in NetBackup configuration (bp.conf on UNIX)
- control environment variable of account under which NetBackup services are running.
Both of the above conditions can only be modified by admin/root/service account.
If you still have concerns and wish to apply an update, follow the below Recommended Action:
Impacted Components: Primary servers, Media servers and Clients
Affected Versions: 8.3 and above
Recommended Action:
NetBackup Primary and Media Servers: Upgrade to 10.3.0.1 or later (no Hotfix needed).
Or upgrade to 10.1.1 or 10.2.0.1 or 10.3 and apply appropriate Hotfix(es) from Download Center.
NetBackup Clients: Upgrade to 10.3.0.1 or later (no Hotfix needed).
Or upgrade to 10.1.1 or 10.2.0.1 or 10.3 and apply appropriate Hotfix from Download Center.
NetBackup Appliance: Upgrade to 5.1.1 MR2 Maintenance Release and apply appropriate Hotfix from Download Center.
Flex Appliance: Upgrade the NetBackup Container and apply the NetBackup Hotfix corresponding to the NetBackup Container version.
Access Appliance: Upgrade to 8.1 or 8.1.100 (recommended) and apply appropriate Hotfix from the NetBackup 10.1.1 downloads.
Flex Scale: Please contact Veritas Technical Support and reference VTS23-013 to obtain a fix.
**NetBackup Snapshot Manager Notes:
Guidance from RedHat - The flaw requires a series of conditions to be met and the likeliness that they shall allow an attacker to take advantage of it is low. Even if the bug could be made to trigger, the risk that a cookie injection can be done to cause harm is additionally also low.
Questions
For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support)
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054