DescriptionUnauthenticated users can execute arbitrary commands as root.
CVE ID: CVE-2017-8859
CVSS v3 Base Score: 9.8
Remote Code Execution (RCE) allows an unauthenticated attacker to gain remote access through the NetBackup Appliance Web Console.
As a root user, an attacker can use a combination of special characters to execute commands on the underlying operating system, which calls the internal scripts.
This patch contains security enhancements to prevent RCE vulnerability in NetBackup appliances, along with the fix for CVE-2016-7399 from the following article:
Note: This vulnerability does not affect NetBackup software or OpsCenter.
Emergency Engineering Binaries (EEBs) are available for these security enhancements for the following NetBackup appliance release versions:
2.7.2, 2.7.3, 3.0
NetBackup Appliance release 3.1 includes the fix for this vulnerability.
Apply the appropriate EEB for your version.
Before installing the EEB, note the following:
- This EEB is a superset of the EEB mentioned in the following article for CVE-2016-7399, since this EEB also includes that fix.
- If you already have EEBs installed from article.000116055, you can still install this EEB.
- Do not install EEBs from article.000116055 after installing this EEB.
- To avoid an EEB installation failure, you must stop all NetBackup jobs before installation.
- This EEB must be installed on both the master server and all associated media server appliances.
- A reboot is not required after EEB installation.
- If you upgrade your appliance after installing this EEB, you must reinstall the EEB that is associated with the upgraded software version.
- Do not attempt to prevent any RCE vulnerability by disabling the web service on the appliance.
Before rollback the EEB, note the following:
- If your have installed the EEB from article.000116055 in addition to this EEB:
- This EEB must be rolled back before rollback of EEB from article.000116055.
- If you rollback the EEB from article.000116055 before this EEB, the appliance web service goes down and you can not log in to the appliance from the web console. If this issue occurs, rollback this EEB and try again to rollback the EEB from article.000116055
For instructions on EEB installation, refer to article number 000076512 by clicking the Related Articles link on this page.
Veritas Technologies LLC is aware that the above-mentioned issue is present in the current version(s) of the product(s) mentioned in this article. Veritas is committed to product quality and satisfied customers.
Please access the following link for download and README information:
The Security Advisory VTS17-005 is available at the following link:
Related Knowledge Base Articles
Was this content helpful?
Rating submitted. Please provide additional feedback (optional):