Workaround for NetBackup Appliances with vulnerability issue CVE-2018-18652

Articolo: 100044666
Data ultima modifica: 2019-01-14
Valutazioni: 0 0
Prodotto/i: Appliances

Problem

A remote command execution vulnerability exists in Veritas NetBackup Appliances that allows authenticated administrators to execute arbitrary commands as root. NetBackup Appliance software versions 3.1.1 and earlier are vulnerable.

CVE ID: CVE-2018-18652
Severity: High
CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

For complete details, see the following Veritas alert article:

https://www.veritas.com/support/en_US/security/VTS18-003.html

Error Message

N/A

Cause

This issue is caused by insufficient filtering of user provided input.

Solution

Upgrade to NetBackup Appliance release 3.1.2.

As a temporary work around, you can disable the NetBackup Appliance Web Console. If you decide to disable the console, note the following limitations afterward:

  • NetBackup functionality including backup and restore will not be impacted on configured appliances.
  • The web console will not be available.
  • Universal shares will not be available on appliances with versions 3.1 or later.
  • Appliance administrative capabilities through the NetBackup Appliance Shell Menu will continue to be available.

To disable the web console, contact Veritas Support for assistance.

Il contenuto è stato utile?