Impact of OpenSSL "Heartbleed" Vulnerability to NetBackup & NetBackup Appliances

Problem

NetBackup and NetBackup Appliances both utilize the OpenSSL module that has been identified recently as containing the "Heartbleed" vulnerability.  Additional details on this vulnerability can be found at heartbleed.com. This document outlines the impact of this vulnerability to NetBackup and NetBackup Appliances.

Disclaimer:
Any information regarding pre-release Veritas offerings, future updates or other planned modifications are subject to on-­going evaluation by Veritas and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Veritas offerings should make their purchase decision based upon features that are currently available.

Some information contained in this document is forward looking and as such does not represent a commitment.

Solution

1. Which versions of OpenSSL does this vulnerability affect?

• OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

Versions of OpenSSL that are NOT impacted include:

• OpenSSL 1.0.0 branch is NOT vulnerable
• OpenSSL 0.9.8 branch is NOT vulnerable

Note: This vulnerability is fixed in OpenSSL 1.0.1g.

2. Is there an impact to NetBackup?

Yes, the NetBackup 7.6 / 7.6.0.1 release is affected.

3. Is there an impact to NetBackup Appliances?

Although the NetBackup Appliance hardware, firmware, and operating system are not affected, the NetBackup 7.6 / 7.6.0.1 software on the appliance is affected.

4. Which versions of NetBackup & NetBackup Appliances are impacted by this vulnerability?

5. Which release will the fix be introduced in?

The fix for this vulnerability will be targeted for the following releases:

• NetBackup 7.6 Maintenance Release 2 (7.6.0.2)
• NetBackup Appliances 2.6.0.2

6.  If I have additional concerns, who can I contact?

You may contact your Veritas authorized reseller/partner or Veritas technical support.