Security Enhancements to prevent Remote Code Execution vulnerability in NetBackup appliances

Security Enhancements to prevent Remote Code Execution vulnerability in NetBackup appliances

Article: 100000481
Last Published: 2018-04-17
Ratings: 0 0
Product(s): Appliances


Security Vulnerability


Unauthenticated users can execute arbitrary commands as root.
CVE ID: CVE-2017-8859
Severity: Critical
CVSS v3 Base Score: 9.8

Remote Code Execution (RCE) allows an unauthenticated attacker to gain remote access through the NetBackup Appliance Web Console.
As a root user, an attacker can use a combination of special characters to execute commands on the underlying operating system, which calls the internal scripts.

This patch contains security enhancements to prevent RCE vulnerability in NetBackup appliances, along with the fix for CVE-2016-7399 from the following article:

Note: This vulnerability does not affect NetBackup software or OpsCenter.

Action Required

Emergency Engineering Binaries (EEBs) are available for these security enhancements for the following NetBackup appliance release versions:

2.7.2, 2.7.3, 3.0

NetBackup Appliance release 3.1 includes the fix for this vulnerability.

Apply the appropriate EEB for your version.

Before installing the EEB, note the following:

  • This EEB is a superset of the EEB mentioned in the following article for CVE-2016-7399, since this EEB also includes that fix.
           Remote Code Execution vulnerability fix in NetBackup Appliances:
  • If you already have EEBs installed from article.000116055, you can still install this EEB.
  • Do not install EEBs from article.000116055 after installing this EEB.
  • To avoid an EEB installation failure, you must stop all NetBackup jobs before installation.
  • This EEB must be installed on both the master server and all associated media server appliances.
  • A reboot is not required after EEB installation.
  • If you upgrade your appliance after installing this EEB, you must reinstall the EEB that is associated with the upgraded software version.
  • Do not attempt to prevent any RCE vulnerability by disabling the web service on the appliance.

Before rollback the EEB, note the following:
  • If your have installed the EEB from article.000116055 in addition to this EEB:  
    • This EEB must be rolled back before rollback of EEB from article.000116055.
    • If you rollback the EEB from article.000116055 before this EEB, the appliance web service goes down and you can not log in to the appliance from the web console. If this issue occurs, rollback this EEB and try again to rollback the EEB from article.000116055

For instructions on EEB installation, refer to article number 000076512 by clicking the Related Articles link on this page.

Veritas Technologies LLC is aware that the above-mentioned issue is present in the current version(s) of the product(s) mentioned in this article. Veritas is committed to product quality and satisfied customers.

Please access the following link for download and README information:

The Security Advisory VTS17-005 is available at the following link:

Contact Support

Terms of use for this information are found in Legal Notices.


Was this content helpful?