VTS23-013

Curl and Libcurl notification (CVE-2023-38545 and CVE-2023-38546)

Revision History

  • 1.0: October 12, 2023: Initial version
  • 1.1 October 20, 2023: Interim update
  • 1.2 November 6, 2023: Interim update
  • 1.3 November 28, 2023: Interim update
  • 1.4 December 05, 2023: Interim update
  • 1.5 December 18, 2023: Interim udpate
  • 1.6 January 22, 2024: Interim update

Products: See below status.

Summary

Veritas is aware of the recently announced high severity vulnerability in curl and libcurl (CVE-2023-38545). All Veritas Product Security and Development teams are completing the assessment of any impact of Veritas products.

Current vulnerability status for CVE-2023-38545 and CVE-2023-38546:

Veritas Product Status

Access Appliance

Impacted – Low Risk (Only impacted if Veritas Data Duplication is configured or NBU client is configured)

*See NetBackup and Appliance Guidance Below

Alta Archiving

Not Vulnerable

Alta Backup as a Service

Not Vulnerable

Alta Capture

Not Vulnerable

Alta Data Protection

Not Vulnerable

Alta Discovery

Not Vulnerable

Alta Recovery Vault

Not Vulnerable

Alta SaaS Protection

Not Vulnerable

Alta Surveillance

Not Vulnerable

Alta View

Not Vulnerable

Backup Exec

Not Vulnerable

Data Insight

Not Vulnerable

Desktop and Laptop Option

Impacted. Update to version 9.8.3 from Download Center

eDiscovery Platform

Not Vulnerable

Enterprise Vault

Under Investigation

InfoScale

Not Vulnerable

Merge1

Not Vulnerable

NetBackup

Impacted – Low Risk
*See NetBackup and Appliance Guidance Below

NetBackup Appliance

Impacted – Low Risk
*See NetBackup and Appliance Guidance Below

NetBackup Flex Appliance

Impacted – Low Risk
*See NetBackup and Appliance Guidance Below

NetBackup Flex Scale

Impacted – Low Risk
*See NetBackup and Appliance Guidance Below

NetBackup IT Analytics

Not Vulnerable

NetBackup OpsCenter

Not Vulnerable

NetBackup Quick Assist

Not Vulnerable

NetBackup Resiliency Platform

Not Vulnerable

NetBackup Self Service

Not Vulnerable

NetBackup Snapshot Manager

Low Risk – **See NetBackup Snaphot Manager Notes below

System Health Insights

Not Vulnerable

Veritas Advanced Supervision

Not Vulnerable

Veritas InfoScale Operations Manager (VIOM)

Not Vulnerable

Veritas System Recovery

Impacted. Update to version 23.2 from Download Center

*NetBackup and Appliance Guidance:

Veritas NetBackup considers CVE-2023-38545 to be very low risk for customers.  Customers can continue to use existing NetBackup versions.  It is recommended that Customers who are concerned that they might meet the vulnerable conditions below upgrade to NetBackup 10.1.1 or above and then install the applicable EEB to address the issue. 

NetBackup’s default settings do not use socks5h protocol.
To exploit this vulnerability, attacker needs to be able to:

  1. control SERVER entries in NetBackup configuration (bp.conf on UNIX)
  2. control environment variable of account under which NetBackup services are running.

Both of the above conditions can only be modified by admin/root/service account.

If you still have concerns and wish to apply an update, follow the below Recommended Action:

Impacted Components: Primary servers, Media servers and Clients

Affected Versions: 8.3 and above

Recommended Action:

NetBackup Primary and Media Servers: Upgrade to 10.3.0.1 or later (no Hotfix needed).

Or upgrade to 10.1.1 or 10.2.0.1 or 10.3 and apply appropriate Hotfix(es) from Download Center.

NetBackup Clients: Upgrade to 10.3.0.1 or later (no Hotfix needed).

Or upgrade to 10.1.1 or 10.2.0.1 or 10.3 and apply appropriate Hotfix from Download Center.

NetBackup Appliance: Upgrade to 5.1.1 MR2 Maintenance Release and apply appropriate Hotfix from Download Center.

Flex Appliance: Upgrade the NetBackup Container and apply the NetBackup Hotfix corresponding to the NetBackup Container version.

Access Appliance: Upgrade to 8.1 or 8.1.100 (recommended) and apply appropriate Hotfix from the NetBackup 10.1.1 downloads.

Flex Scale: Please contact Veritas Technical Support and reference VTS23-013 to obtain a fix.

**NetBackup Snapshot Manager Notes:

Guidance from RedHat - The flaw requires a series of conditions to be met and the likeliness that they shall allow an attacker to take advantage of it is low. Even if the bug could be made to trigger, the risk that a cookie injection can be done to cause harm is additionally also low.

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support)

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.  VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.  THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054