Impact of CVE-2017-5638 on OpsCenter Server

  • Modified Date:
  • Article ID:000125967

Severity

Security Vulnerability

Description

Document History:
March 23, 2017: Initial publication
April 4, 2017: Hotfixes available, attached to article
April 6, 2017: Additional EEB reference added

Abstract: Impact of CVE-2017-5638 on NetBackup OpsCenter Server
 
Severity: Security Vulnerability
 
Description:
Remote command execution(RCE) when performing file upload operation through NetBackup OpsCenter Web GUI.

CVE-2017-5638: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.
 
More info: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638  
 
The Apache Struts instance included in Veritas OpsCenter is susceptible to this vulnerability, such that an attacker could execute arbitrary commands through the OpsCenter WebServer Service.  It may be possible to craft the Content-Type Header value to execute arbitrary commands on the underlying operating system.  NOTE the impact of this vulnerability is low because the OpsCenter URLs where File Upload is used can only be accessed by an authenticated OpsCenter user.

NetBackup OpsCenter Server version 7.6 and later are affected by this vulnerability.

This vulnerability will be fixed in an upcoming release of OpsCenter. 
 
Note:   This vulnerability only affects OpsCenter Server.  This vulnerability does not affect NetBackup software, OpsCenter Agent or OpsCenter ViewBuilder.

Action Required

Hotfixes for OpsCenter 8.0 and 7.7.3 are attached to this document.  Please download and apply the appropriate hotfix to the OpsCenter server.

An Emergency Engineering Binary (EEB) is available for OpsCenter 7.7.2 servers by contacting Veritas support, referencing this document and Etrack 3913548.

For other versions, please contact Veritas support, referencing this document and Etrack 3913344 to determine EEB availability.

If a hotfix or EEB cannot be immediately applied to the OpsCenter server, please consider implementing the following workaround to mitigate this vulnerability until such time as they can be applied.

Workaround:
The issue is found in the Apache Struts 2 library that is used by the OpsCenter WebServer Service.
 
Stopping only the OpsCenter WebServer Service using a platform-specific command will avoid this vulnerability.

Note: Once this service is stopped, users will not be able to view or perform any operation via the OpsCenter Web UI.

Stopping the OpsCenter WebServer Service has NO impact on email notifications, scheduled reports, alert generation and data collection.

Windows:  How to stop or start the OpsCenter WebServer Service:

  1. Select Control Panel > Administrative Tools > Services
  2. Stop or start Veritas NetBackup OpsCenter WebServer Service  (on version 7.x this service is called Symantec NetBackup OpsCenter WebServer Service)

Unix:  How to stop or start the OpsCenter WebServer Service:
    To Stop: <INSTALL_PATH>/SYMCOpsCenterGUI/bin/stopgui.sh
    To Start: <INSTALL_PATH>/SYMCOpsCenterGUI/bin/startgui.sh

     
    Resolution:
    Veritas Technologies LLC has acknowledged that the above-mentioned issue (Etrack 3913344) is present in the current versions listed under the Products section of this article.  Veritas Technologies LLC is committed to product quality and satisfied customers.

    This issue is currently scheduled to be addressed in the next release of OpsCenter.  Please be sure to refer back to this document periodically as any changes to the status of the defect will be reflected here.  Use the Subcribe to this Article link to sign up for email notification when this document is updated.

    Please note that Veritas Technologies LLC reserves the right to remove any fix from the targeted release if it does not pass quality assurance tests.  Veritas' plans are subject to change and any action taken by you based on the above information or your reliance upon the above information is made at your own risk.

    When the next release of OpsCenter is available, please access the following link for download and README information:
     https://www.veritas.com/content/support/en_US/58596.html

    Hotfix information:
    Bug ID: ET 3913550 (8.0) / 3913549 (7.7.3)

    Installation Location:  OpsCenter server

    Installation Instructions: Please follow the instructions available in the included README file.

    Package Contents:
    Please choose the appropriate platform after download:
    OpsCenter_LinuxR_x86_x86_64_80EEB_ET3913550_1.tar.gz RedHat x64 Installation
    OpsCenter_LinuxS_x86_x86_64_80EEB_ET3913550_1.tar.gz Suse x64 Installation
    OpsCenter_windows_AMD64_80EEB_ET3913550_1.zip Windows x64 Installation
    OpsCenter_LinuxR_x86_x86_64_773EEB_ET3913549_1.tar.gz RedHat x64 Installation
    OpsCenter_LinuxS_x86_x86_64_773EEB_ET3913549_1.tar.gz Suse x64 Installation
    OpsCenter_windows_AMD64_773EEB_ET3913549_1.zip Windows x64 Installation


    Checksums:
    4209614721 63335555 all/OpsCenter_windows_AMD64_80EEB_ET3913550_1.zip
    3063846324 63321102 all/OpsCenter_LinuxS_x86_x86_64_80EEB_ET3913550_1.tar.gz
    2013841265 63321132 all/OpsCenter_LinuxR_x86_x86_64_80EEB_ET3913550_1.tar.gz
    2604378182 63279071 all/OpsCenter_LinuxR_x86_x86_64_773EEB_ET3913549_1.tar.gz
    933072777 63279039 all/OpsCenter_LinuxS_x86_x86_64_773EEB_ET3913549_1.tar.gz
    1163191596 63301459 all/OpsCenter_windows_AMD64_773EEB_ET3913549_1.zip

    Terms of use for this information are found in Legal Notices.

    Search

    Survey

    Did this article answer your question or resolve your issue?

    No
    Yes

    Did this article save you the trouble of contacting technical support?

    No
    Yes

    How can we make this article more helpful?

    Email Address (Optional)