Impact of CVE-2017-5638 on OpsCenter Server

Severity

Security Vulnerability

Description

Abstract: Impact of CVE-2017-5638 on NetBackup OpsCenter Server
 
Severity: Security Vulnerability
 
Description:
Remote command execution(RCE) when performing file upload operation through NetBackup OpsCenter Web GUI.
 
CVE-2017-5638: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.
 
More info: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638  
 
The Apache Struts instance included in Veritas OpsCenter is susceptible to this vulnerability, such that an attacker could execute arbitrary commands through the OpsCenter WebServer Service.  It may be possible to craft the Content-Type Header value to execute arbitrary commands on the underlying operating system.  NOTE the impact of this vulnerability is low because the OpsCenter URLs where File Upload is used can only be accessed by an authenticated OpsCenter user.

NetBackup OpsCenter Server version 7.6 and later are affected by this vulnerability.

This vulnerability will be fixed in an upcoming release of OpsCenter. 
 
Note:   This vulnerability only affects OpsCenter Server.  This vulnerability does not affect NetBackup software, OpsCenter Agent or OpsCenter ViewBuilder.

Action Required

Please contact Veritas technical support, referencing this document and Etrack 3913550 (OpsCenter 8.0) and/or 3913549 (OpsCenter 7.7.3) to receive Emergency Engineering Binary (EEB) bundle(s) containing a fix for this issue. 

If EEBs cannot be immediately applied to the OpsCenter server, please consider implementing the following workaround to mitigate this vulnerability until such time as they can be applied.

Workaround:
The issue is found in the Apache Struts 2 library that is used by the OpsCenter WebServer Service.
 
Stopping only the OpsCenter WebServer Service using a platform-specific command will avoid this vulnerability.

Note: Once this service is stopped, users will not be able to view or perform any operation via the OpsCenter Web UI.

Stopping the OpsCenter WebServer Service has NO impact on email notifications, scheduled reports, alert generation and data collection.

Windows:  How to stop or start the OpsCenter WebServer Service:

  1. Select Control Panel > Administrative Tools > Services
  2. Stop or start Veritas NetBackup OpsCenter WebServer Service  (on version 7.x this service is called Symantec NetBackup OpsCenter WebServer Service)

Unix:  How to stop or start the OpsCenter WebServer Service:
    To Stop: <INSTALL_PATH>/SYMCOpsCenterGUI/bin/stopgui.sh
    To Start: <INSTALL_PATH>/SYMCOpsCenterGUI/bin/startgui.sh

     
    Resolution:
    Veritas Technologies LLC has acknowledged that the above-mentioned issue (Etrack 3913344) is present in the current versions listed under the Products section of this article.  Veritas Technologies LLC is committed to product quality and satisfied customers.

    This issue is currently scheduled to be addressed in the next release of OpsCenter.  Please be sure to refer back to this document periodically as any changes to the status of the defect will be reflected here.  Use the Subcribe to this Article link to sign up for email notification when this document is updated.

    Please note that Veritas Technologies LLC reserves the right to remove any fix from the targeted release if it does not pass quality assurance tests.  Veritas' plans are subject to change and any action taken by you based on the above information or your reliance upon the above information is made at your own risk.

    When the next release of OpsCenter is available, please access the following link for download and README information:
     https://www.veritas.com/content/support/en_US/58596.html

    Terms of use for this information are found in Legal Notices.

    Search

    Survey

    Did this article answer your question or resolve your issue?

    No
    Yes

    Did this article save you the trouble of contacting technical support?

    No
    Yes

    How can we make this article more helpful?

    Email Address (Optional)