VTS22-011

Hotfix for Security Advisory Impacting NetBackup Servers

Revision History

  • 1.0: End of September 2022 – Initial Public Release

Summary

Veritas has addressed vulnerabilities affecting NetBackup Primary servers.

Issues

Issue #1: SQL Injection

The NetBackup Primary server is vulnerable to a SQL Injection attack affecting the NBFSMCLIENT service.

  • CVE ID: CVE-2022-42302
  • Severity: Critical
  • CVSS v3.1 Base Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
  • Impacted Components: Primary Server
  • Affected Versions: 10.0 and earlier
  • Recommended action: 
    • NetBackup Primary & Media Servers : Upgrade to NetBackup 8.2, 8.3.0.1, 8.3.0.2, 9.0.0.1, 9.1.0.1, 10.0 and apply appropriate Hotfix OR upgrade to 10.0.0.1
    • NetBackup Clients: not impacted. No action needed.
    • NetBackup Appliance: Upgrade to 3.2, 3.3.0.1, 3.3.0.2, 4.0.0.1, 4.1.0.1, 5.0 and apply appropriate Hotfix or upgrade to 5.0.0.1 MR1.
    • Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances
    • Flex Scale: Please contact Veritas Technical Support and reference Knowledge Article ID 100053006 to obtain a fix.

Issue #2: SQL Injection

The NetBackup Primary server is vulnerable to a 2nd order SQL Injection attack affecting the NBFSMCLIENT service by leveraging Issue #1 in this advisory.

  • CVE ID: CVE-2022-42303
  • Severity: High
  • CVSS v3.1 Base Score: 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
  • Impacted Components: Primary Server
  • Affected Versions: 10.0 and earlier
  • Recommended action: 
    • NetBackup Primary & Media Servers : Upgrade to NetBackup 8.2, 8.3.0.1, 8.3.0.2, 9.0.0.1, 9.1.0.1, 10.0 and apply appropriate Hotfix OR upgrade to 10.0.0.1
    • NetBackup Clients: not impacted. No action needed.
    • NetBackup Appliance: Upgrade to 3.2, 3.3.0.1, 3.3.0.2, 4.0.0.1, 4.1.0.1, 5.0 and apply appropriate Hotfix OR upgrade to 5.0.0.1 MR1.
    • Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances
    • Flex Scale: Please contact Veritas Technical Support and reference Knowledge Article ID 100053006 to obtain a fix.

Issue #3: SQL Injection

The NetBackup Primary server is vulnerable to a SQL Injection attack affecting idm, nbars, and SLP manager code.

  • CVE ID: CVE-2022-42304
  • Severity: High
  • CVSS v3.1 Base Score: 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
  • Impacted Components: Primary Server
  • Affected Versions: 10.0 and earlier
  • Recommended action: 
    •  NetBackup Primary & Media Servers: Upgrade to NetBackup 8.2, 8.3.0.1, 8.3.0.2, 9.0.0.1, 9.1.0.1, 10.0 and apply appropriate Hotfix OR upgrade to 10.0.0.1
    • NetBackup Clients: not impacted. No action needed.
    • NetBackup Appliance: Upgrade to 3.2, 3.3.0.1, 3.3.0.2, 4.0.0.1, 4.1.0.1, 5.0 and apply appropriate Hotfix OR upgrade to 5.0.0.1 MR1.
    • Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances
    • Flex Scale: Please contact Veritas Technical Support and reference Knowledge Article ID 100053006 to obtain a fix.

Notes

This Security Advisory, VTS22-011, also addresses the issues identified in VTS22-004 which was released earlier. If you have not already applied VTS22-004, it is not necessary to apply it first. If you have already applied VTS22-004 you can safely apply VTS22-011 on top of it.

Questions

For questions or problems regarding this advisory please contact Veritas Technical Support (https://www.veritas.com/support)

Acknowledgement

Veritas would like to thank the following Airbus Security Team members for notifying us about these issues:  
Mouad Abouhali, Benoît Camredon, Nicholas Devillers, Anaïs Gantet, and Jean-Romain Garnier.

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054