Remote Code Execution Vulnerability fix in NetBackup Appliances

Severity

Security Vulnerability

Description

CVE-2016-7399: Remote Code Execution (RCE) vulnerability

CVSS base Score: 10 

One instance was identified on Veritas NetBackup Appliance where an unauthenticated attacker could gain RCE through the NetBackup Web Management Interface.
 It is possible to utilize special characters to execute commands on the underlying operating system as the root user which calls the internal scripts.
               
NetBackup Appliance software version 2.6.0.1 and later are affected by this vulnerability.

This vulnerability will be fixed in the upcoming release of a NetBackup Appliance. 

Note:  This vulnerability does not affect NetBackup software and OpsCenter.

Action Required

Emergency Engineering Binaries (EEBs) are available to fix this vulnerability on the following releases of the NetBackup appliances:

 - version 2.6.0.4, 2.6.1.2, 2.7.2 and 2.7.3.

Apply the appropriate EEB for your version.

Before installing the EEB, note the following:
  • To avoid an EEB installation failure, you must stop all NetBackup jobs before installing the EEB.
  • This EEB must be installed on both the master server and all associated media server appliances.
  • A reboot is not required after EEB installation.
  • If you upgrade your appliance after installing this EEB, you must reinstall the EEB that is associated with the upgraded software version.
  • Do not attempt to disable the web service on the appliance to alleviate this problem.
For instructions on installing EEBs, refer to article number 000076512 by clicking the Related Articles link on this page.

Veritas Technologies LLC is aware that the above-mentioned issue is present in the current version(s) of the product(s) mentioned in this article. Veritas is committed to product quality and satisfied customers.  
  • The fix is available in the NetBackup Appliance 3.0 release.
Please access the following link for download and README information:
 https://www.veritas.com/content/support/en_US/58991.html

Revision History:
Oct. 16, 2016:  EEB for version 2.7.2 included.

Terms of use for this information are found in Legal Notices.

Search

Survey

Did this article answer your question or resolve your issue?

No
Yes

Did this article save you the trouble of contacting technical support?

No
Yes

How can we make this article more helpful?

Email Address (Optional)