Translation Notice
Please note that this content includes text that has been machine-translated from English. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.
Spectre vulnerability (Variant 2 - CVE-2017-5715) on NetBackup Appliances (article 100043541)
Abstract
Description
Problem
NetBackup Appliance models 5230, 5240, 5250, 5330, and 5340 with software versions 2.7.1 and later are affected by the following issue:
- CVE-2017-5715 (Spectre Variant 2)
- CVSS Base Score: 5.6
- Systems with microprocessors that utilize speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access through a side-channel analysis.
Note: NetBackup and OpsCenter software applications are not affected by this issue.
Error Message
Security scanners and similar tools that validate Meltdown and Spectre vulnerabilities will report that NetBackup appliances are affected by this vulnerability for Variant 2 on all of the described hardware models.
Cause
NetBackup Appliance models 5230, 5240, 5250, 5330, and 5340 use BIOS and kernel versions that are vulnerable to the problems described in CVE-2017-5715.
Spectre vulnerability (Variant 2 - CVE-2017-5715) on NetBackup Appliances (article 100043541)
HotFix: Critical
Update ID: UPD178963
Version: 4.0/3.3.0.1 / 3.2 / 3.1.2 / 3.1.1
Platform: Appliance
Release date: 2018-10-25
Problem
NetBackup Appliance models 5230, 5240, 5250, 5330, and 5340 with software versions 2.7.1 and later are affected by the following issue:
- CVE-2017-5715 (Spectre Variant 2)
- CVSS Base Score: 5.6
- Systems with microprocessors that utilize speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access through a side-channel analysis.
Note: NetBackup and OpsCenter software applications are not affected by this issue.
Error Message
Security scanners and similar tools that validate Meltdown and Spectre vulnerabilities will report that NetBackup appliances are affected by this vulnerability for Variant 2 on all of the described hardware models.
Cause
NetBackup Appliance models 5230, 5240, 5250, 5330, and 5340 use BIOS and kernel versions that are vulnerable to the problems described in CVE-2017-5715.
Solution
An Emergency Engineering Binary (EEB) is available to fix the Spectre Variant 2 vulnerability for NetBackup Appliance software versions 3.1.1, 3.1.2 , 3.2 and 3.3.0.1.
Before EEB installation, note the following:
- This EEB enables the fix for the Spectre Variant 2 vulnerability on an appliance and may adversely impact appliance performance. After installing this EEB, rolling it back disables the vulnerability fix and mitigates the performance issues, if any. Before you install this EEB, consider whether performance or security is more important for your environment. For better security, install the EEB. To maintain the current appliance performance level, do not install the EEB.
- Before you install the EEB on appliances with software version 3.2 or 3.3.0.1, you must first verify if the appliance uses the minimum required BIOS version as follows, by using command Manage > Software > Firmware Status:
- 5340 - BIOS: SE5C620.86B.00.01.0014
- 5240 - BIOS: SE5C610.86B.01.01.0028
- 5230/5330 - BIOS: SE5C600.86B.02.06.0007
If any appliance uses an earlier version of the BIOS, you must first update the BIOS to the minimum required version by using the firmware update tool. For details and to obtain the tool, see the following article: https://www.veritas.com/support/en_US/article.100046032
- For appliances with software version 3.1.2, a BIOS update is not required to fix this vulnerability. The EEB (NBAPP_EEB_ET3957544-3.1.2.0-1.x86_64.rpm) is all that is required. The EEB is attached to this article.
- For appliances with software version 3.1.1, a BIOS update is required before you install the EEB (NBAPP_EEB_ET3958702-3.1.1.0-1.x86_64.rpm) to fix the Spectre Variant 2 vulnerability. The EEB is attached to this article. If the BIOS version on the appliance does not meet the minimum required version, the EEB installation fails. The BIOS update is available in the form of another EEB for NetBackup Appliance software version 3.1.1. You can obtain this EEB from the following link: https://www.veritas.com/support/en_US/article.100044095
- Caution: Do not install the BIOS update EEB after installing the Spectre 2 Variant fix EEB. Otherwise, the Spectre 2 Variant fix will be disabled.
- To avoid an EEB installation failure, you must stop all NetBackup jobs before installing the EEB.
- This EEB must be installed on both the master server appliance and all associated media server appliances.
- A reboot occurs automatically at the end of EEB installation.
- For high availability setups, you must install this EEB on each node individually.
For instructions on installing EEBs, see the link under Related Knowledge Base Articles.
For NetBackup Appliance software version 4.0:
The fix for CVE-2017-5715 (Spectre Variant 2) is enabled by default, so NetBackup appliances with software version 4.0 are not affected by this vulnerability. However, the fix may adversely impact appliance performance. To mitigate the performance issues, a script is available to disable the Spectre Variant 2 fix. Before you disable the fix, consider whether performance or security is more important for your environment. For better security, do not disable the fix. To mitigate current appliance performance issues, disable the fix. This script can also enable the fix for the Spectre Variant 2 vulnerability after you have disabled it.
- Usage of the script:
Script path: /opt/NBUAppliance/scripts/spectre_v2.sh
Parameter:
enable: enable the Spectre Variant 2 fix
disable: disable the Spectre Variant 2 fix
status: show Spectre Variant 2 fix is enabled or disabled
Examples:
To disable the Spectre Variant 2 fix:
maintenance-!> /opt/NBUAppliance/scripts/spectre_v2.sh disable
To enable the Spectre 2 Variant fix:
maintenance-!> /opt/NBUAppliance/scripts/spectre_v2.sh enable
To show Spectre Variant 2 fix is enabled or disabled:
maintenance-!> /opt/NBUAppliance/scripts/spectre_v2.sh status
- Caution:
If the security mode of the appliance is set to “Very High”, the maintenance user account is not available. Before you can run any script, you must first change the security mode.
- A reboot occurs automatically after enabling or disabling the Spectre Variant 2 fix.
- For high availability setups, you must enable or disable the Spectre Variant 2 fix on each node individually.
Veritas Technologies LLC is aware that the above-mentioned issue is present in the current version(s) of the product(s) mentioned in this article. Veritas is committed to product quality and satisfied customers.
Applies to the following product releases
Update files
|
File name | Description | Version | Platform | Size |
---|