DescriptionCVE-2016-7399: Remote Code Execution (RCE) vulnerability
CVSS base Score: 10
One instance was identified on Veritas NetBackup Appliance where an unauthenticated attacker could gain RCE through the NetBackup Web Management Interface.
It is possible to utilize special characters to execute commands on the underlying operating system as the root user which calls the internal scripts.
NetBackup Appliance software version 220.127.116.11 and later are affected by this vulnerability.
This vulnerability will be fixed in the upcoming release of a NetBackup Appliance.
Note: This vulnerability does not affect NetBackup software and OpsCenter.
Action RequiredEmergency Engineering Binaries (EEBs) are available to fix this vulnerability on the following releases of the NetBackup appliances:
- version 18.104.22.168, 22.214.171.124, 2.7.2 and 2.7.3.
Apply the appropriate EEB for your version.
Before installing the EEB, note the following:
- To avoid an EEB installation failure, you must stop all NetBackup jobs before installing the EEB.
- This EEB must be installed on both the master server and all associated media server appliances.
- A reboot is not required after EEB installation.
- If you upgrade your appliance after installing this EEB, you must reinstall the EEB that is associated with the upgraded software version.
- Do not attempt to disable the web service on the appliance to alleviate this problem.
Veritas Technologies LLC is aware that the above-mentioned issue is present in the current version(s) of the product(s) mentioned in this article. Veritas is committed to product quality and satisfied customers.
- The fix is available in the NetBackup Appliance 3.0 release.
Oct. 16, 2016: EEB for version 2.7.2 included.