Remote Code Execution Vulnerability fix in NetBackup Appliances

  • Modified Date:
  • Article ID:000116055

Severity

Security Vulnerability

Description

CVE-2016-7399: Remote Code Execution (RCE) vulnerability

CVSS base Score: 10 

One instance was identified on Veritas NetBackup Appliance where an unauthenticated attacker could gain RCE through the NetBackup Web Management Interface.
 It is possible to utilize special characters to execute commands on the underlying operating system as the root user which calls the internal scripts.
               
NetBackup Appliance software version 2.6.0.1 and later are affected by this vulnerability.

The fix is available in the NetBackup appliance 3.0 release.

Note:  This vulnerability does not affect NetBackup software and OpsCenter.

Action Required

Emergency Engineering Binaries (EEBs) are available to fix this vulnerability on the following releases of the NetBackup appliances:

 - version 2.6.0.4, 2.6.1.2, 2.7.2 and 2.7.3.

Apply the appropriate EEB for your version.

Before installing the EEB, note the following:
  • This EEB fix is also available as a part of the EEB mentioned in the following Technote:
           Security Enhancements to prevent RCE vulnerability in NetBackup appliances: https://www.veritas.com/support/en_US/article.000126557
  • If you already have this EEB installed, you can still install the EEB from article.000126557.
  • Do not install this EEB after installing EEB from article.000126557.
  • To avoid an EEB installation failure, you must stop all NetBackup jobs before installing the EEB.
  • This EEB must be installed on both the master server and all associated media server appliances.
  • A reboot is not required after EEB installation.
  • If you upgrade your appliance after installing this EEB, you must reinstall the EEB that is associated with the upgraded software version.
  • Do not attempt to disable the web service on the appliance to alleviate this problem.
Before rollback the EEB, note the following:
  • If your have installed the EEB from article.000126557 in addition to this EEB:
    • This EEB must be rolled back after rollback of the EEB from article.000126557.
    • If you rollback this EEB before rollback of EEB from article.000126557, appliance web service goes down and you cannot log in to appliance from web console. If this issue occurs, rollback EEB from article.000126557 and try again to rollback this EEB.
For instructions on installing EEBs, refer to article number 000076512 by clicking the Related Articles link on this page.

Veritas Technologies LLC is aware that the above-mentioned issue is present in the current version(s) of the product(s) mentioned in this article. Veritas is committed to product quality and satisfied customers.  

Please access the following link for download and README information:
 https://www.veritas.com/content/support/en_US/58991.html

Revision History:
Oct. 16, 2016:  EEB for version 2.7.2 included.

Terms of use for this information are found in Legal Notices.

Search

Survey

Did this article answer your question or resolve your issue?

No
Yes

Did this article save you the trouble of contacting technical support?

No
Yes

How can we make this article more helpful?

Email Address (Optional)