Impact of Spring4Shell Vulnerability (CVE-2022-22965) on NetBackup Flex Scale Appliances

Description

Recently a zero-day vulnerability was reported in the popular open-source Java framework, Spring, that could allow an attacker to execute arbitrary code on a remote web server. Veritas has concluded that NetBackup Flex Scale Appliances are impacted. Please see the table below for remediation steps.

Note

After installing the 3.0 hotfix, already configured CallHome functionality may stop working. Please follow the workaround steps below to resolve the issue in 3.0:

• SSH to any node in the cluster and log in by administration user
• Run following command to get root shell access

                              support elevate

• Run following command to stop ASC global API service

                     /opt/VRTS/bin/hagrp -offline GLOBAL_API_SERVER -any

• Run following command to make sure that the service is OFFLINE on ALL nodes

                      hagrp -state GLOBAL_API_SERVER

• Run following command to start the service again

                     /opt/VRTS/bin/hagrp -online GLOBAL_API_SERVER -any

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.