Description
Recently a zero-day vulnerability was reported in the popular open-source Java framework, Spring, that could allow an attacker to execute arbitrary code on a remote web server. Veritas has concluded that NetBackup Flex Appliances are impacted. Please see the table below for remediation steps.
NetBackup Flex version |
Remediation |
2.1 |
(1) Download 2.1 hotfix here (2) Install hotfix |
2.0.2 |
(1) Download 2.0.2 hotfix here (2) Install hotfix |
1.3.x/2.0/2.0.1 |
(1) Upgrade to 2.1 here (2) Download hotfix here (3) Install hotfix |
The Flex 2.1 Hotfix includes
- Fix for Spring4Shell Vulnerability (CVE-2022-22965)
- Fix for HBA QLE2692 false alert that the temperature is high (V-475-105-1005)
- Previously released fix for Log4j and Polkit vulnerabilities (VE-2021-44228, CVE-2021-45046 and CVE-2021-4034)
- Previously released fix for enabling Isolated Recovery Environment (IRE) Air Gap Solution
The Flex 2.0.2 Hotfix includes
- Fix for Spring4Shell Vulnerability (CVE-2022-22965)
- Previously released fix for Log4j and Polkit vulnerabilities (VE-2021-44228, CVE-2021-45046 and CVE-2021-4034)
It is not required to uninstall the previously released fixes.
Note the following:
- If a node in the appliance is factory reset or reimaged, the version-specific hotfix must be applied on that node immediately after it is added back to the appliance and updated to the appliance.
- If an appliance is upgraded to any of the versions mentioned in the previous table, the version-specific hotfix must be applied on all nodes in the appliance after you commit the upgrade.
Special Note for Flex 2.1 relating to Air Gap
In the case of appliance recovery, first install the 2.1 hotfix (which has IRE Air Gap capability) and then start WORM storage server instances to retain the filtering rules that were in effect before the factory reset or the reimage.
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
War dieser Inhalt hilfreich?
Übersetzter Inhalt
Bitte beachten Sie, dass dieses Dokument aus dem Englischen übersetzt wurde und es sich möglicherweise um eine Maschinenübersetzung handelt. Es ist möglich, dass nach Übersetzung und Veröffentlichung dieses Dokuments Aktualisierungen der ursprünglichen Version vorgenommen wurden. Veritas übernimmt keine Garantie für die Genauigkeit hinsichtlich der Vollständigkeit der Übersetzung. Sie können auch die englische Version dieses Supportdatenbank-Artikels heranziehen, um aktuelle Informationen zu erhalten.