Veritas Alta Recovery Vault Accelerated Delete Vulnerability

Article: 100065322
Dernière publication: 2024-05-01
Evaluations: 0 0
Produit(s): NetBackup

Summary 

 A vulnerability was discovered in Veritas NetBackup 10.3.0.1, and prior versions, where Veritas Alta Recovery Vault is used as an immutable storage target.  The tech alert information will be added here when available.  It is required that all NetBackup/ADP Media Servers are patched according to current guidelines to avoid disruption to backups.  Please contact Veritas Technical Support to ensure that have applied the appropriate EEBs for your environment. 

 

 

Service 

NetBackup/ADP Versions Affected 

Fixed Version 

Remediation 

Alta Recovery Vault Azure (standard and archive tiers) 

10.3.0.1, 10.3, 10.2.0.1, 10.2, 10.1.1, 10.1, 10.0.0.1 

10.4 

Please upgrade your environment to NetBackup 10.4 or if you wish to remain on an older version, contact Veritas Technical Support to ensure that the required EEBs are  applied correctly to your environment. 

Alta Recovery Vault AWS (standard and archive tiers) 

10.3.0.1, 10.3, 10.2.0.1, 10.2, 10.1.1, 10.1, 10.0.0.1, 10.0, 9.1.0.1 

10.4 

 

Issue 

 

Overview

By design, only the cloud administrator should be able to disable the retention lock of Governance mode images.  With Alta Recovery Vault it is intended that only Veritas has cloud administrator privileges and that no end users would have the ability to unlock backups that are marked as indelible.  This vulnerability allowed a NetBackup administrator to modify the expiration of backups under Governance mode which could cause premature deletion. 

Severity: Medium 

https://www.veritas.com/support/en_US/security/VTS24-004

Prerequisites 

A user with the NetBackup Administrator role accesses the NetBackup servers and performs the operation to modify the expiration of Governance mode images in the cloud storage. 

  

Affected Versions 

Veritas NetBackup 10.3.0.1, 10.3, 10.2.0.1, 10.2, 10.1.1, 10.1, 10.0.0.1, 10.0, 9.1.0.1 

Remediation 

This vulnerability has already been remediated on all Veritas Alta Recovery Vault cloud accounts.  Users of affected versions of NetBackup/ADP must update their systems immediately, and failure to do so will result in failure for any backups or dupes that are targeted for Recovery Vault.    Customers that upgrade to NetBackup 10.4 will require no further action.  Customers running earlier versions of NetBackup are advised to apply the EEBs identified in the table below: 

NetBackup/ADP Version 

EEB ID & Download Link 

NBU 9.1.0.1 

UPD149656  

NBU 10.0 

Contact Support for Hotfix 4069637 

NBU 10.0.0.1 

UPD715740 

NBU 10.1 

Contact Support for Hotfix 4090334 

NBU 10.1.1 

UPD914005  

NBU 10.2 

Contact Support for Hotfix 4114925 

NBU 10.2.0.1 

UPD947768  

NBU 10.3 

Contact Support for Hotfix 4140861 

NBU 10.3.0.1 

UPD570820 

    

Questions 

For questions or problems regarding these vulnerabilities, please contact Veritas Technical Support (https://www.veritas.com/support

Disclaimer 

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.  VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.  THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. 

Ce contenu était-il utile ?