Apache struts vulnerability in NetBackup Appliances - CVE-2017-5638

  • Article ID:100033759
  • Modified Date:
  • Product(s):

Problem

CVE-2017-5638
Security Impact: High

NetBackup appliance release versions 2.5.x to 3.0 contain a vulnerability that allows remote attackers to execute arbitrary commands by using a #cmd= string, in a crafted Content-Type HTTP header.

 

Cause

The vulnerability has been identified in Apache Struts versions earlier than 2.3.32, which are used in NetBackup appliance release versions 2.5.x to 3.0.

Solution

Emergency Engineering Binaries (EEBs) to fix this vulnerability are available for the following NetBackup appliance release versions:
                2.6.1.2, 2.7.1, 2.7.2, 2.7.3, 3.0

Apply the appropriate EEB for your version.

Before installing the EEB, note the following:

  • To avoid an EEB installation failure, you must stop all NetBackup jobs before installing the EEB.
  • This EEB must be installed on both the master server and all associated media server appliances.
  • A reboot is not required after EEB installation.
  • If you upgrade your appliance after installing this EEB, you must reinstall the EEB that is associated with the upgraded software version.
  • Do not attempt to disable the web service on the appliance to alleviate this problem.

For instructions on installing EEBs, refer to article number 000076512 by clicking the Related Articles link on this page.
 

Veritas Technologies LLC is aware that the above-mentioned issue is present in the current version(s) of the product(s) mentioned in this article. Veritas is committed to product quality and satisfied customers.  

  • The fix will be available in the upcoming release of the NetBackup Appliance.

Downloads

Related Articles

Installing EEBs on a NetBackup 52x0 / 5330 Appliance

Was this content helpful?

Get Support