NetBackup 8.0 / 7.7.3 HotFix - addresses CVE-2017-5638 on OpsCenter Server (article 100000477)

Translation Notice

Please note that this content includes text that has been machine-translated from English. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.

NetBackup 8.0 / 7.7.3 HotFix - addresses CVE-2017-5638 on OpsCenter Server (article 100000477)

HotFix

Update ID: UPD967929

Version: 8.0 / 7.7.3

Platform: Cross-Platform

Release date: 2017-09-09

Abstract

Impact of CVE-2017-5638 on OpsCenter Server

Description

Remote command execution(RCE) when performing file upload operation through NetBackup OpsCenter Web GUI.

CVE-2017-5638: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.

More info: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638

The Apache Struts instance included in Veritas OpsCenter is susceptible to this vulnerability, such that an attacker could execute arbitrary commands through the OpsCenter WebServer Service. It may be possible to craft the Content-Type Header value to execute arbitrary commands on the underlying operating system. NOTE the impact of this vulnerability is low because the OpsCenter URLs where File Upload is used can only be accessed by an authenticated OpsCenter user.

NetBackup OpsCenter Server version 7.6 and later are affected by this vulnerability.

This vulnerability will be fixed in an upcoming release of OpsCenter.

Note: This vulnerability only affects OpsCenter Server. This vulnerability does not affect NetBackup software, OpsCenter Agent or OpsCenter ViewBuilder.

Hotfixes for OpsCenter 8.0 and 7.7.3 are attached to this document. Please download and apply the appropriate hotfix to the OpsCenter server.

An Emergency Engineering Binary (EEB) is available for OpsCenter 7.7.2 servers by contacting Veritas support, referencing this document and Etrack 3913548.

For other versions, please contact Veritas support, referencing this document and Etrack 3913344 to determine EEB availability.

If a hotfix or EEB cannot be immediately applied to the OpsCenter server, please consider implementing the following workaround to mitigate this vulnerability until such time as they can be applied.

Workaround:

The issue is found in the Apache Struts 2 library that is used by the OpsCenter WebServer Service.

Stopping only the OpsCenter WebServer Service using a platform-specific command will avoid this vulnerability.

Note: Once this service is stopped, users will not be able to view or perform any operation via the OpsCenter Web UI.

Stopping the OpsCenter WebServer Service has NO impact on email notifications, scheduled reports, alert generation and data collection.

Windows: How to stop or start the OpsCenter WebServer Service:

Select Control Panel > Administrative Tools > Services
Stop or start Veritas NetBackup OpsCenter WebServer Service (on version 7.x this service is called Veritas NetBackup OpsCenter WebServer Service)

Unix: How to stop or start the OpsCenter WebServer Service:To Stop: <INSTALL_PATH>/SYMCOpsCenterGUI/bin/stopgui.sh

To Start: <INSTALL_PATH>/SYMCOpsCenterGUI/bin/startgui.sh

Resolution:

Veritas Technologies LLC has acknowledged that the above-mentioned issue (Etrack 3913344) is present in the current versions listed under the Products section of this article. Veritas Technologies LLC is committed to product quality and satisfied customers.

This issue is currently scheduled to be addressed in the next release of OpsCenter. Please be sure to refer back to this document periodically as any changes to the status of the defect will be reflected here. Use the Subcribe to this Article link to sign up for email notification when this document is updated.

Please note that Veritas Technologies LLC reserves the right to remove any fix from the targeted release if it does not pass quality assurance tests. Veritas' plans are subject to change and any action taken by you based on the above information or your reliance upon the above information is made at your own risk.

Hotfix information:

Bug ID: ET 3913550 (8.0) / 3913549 (7.7.3)

Installation Location: OpsCenter server

Installation Instructions: Please follow the instructions available in the included README file.

Package Contents:

Please choose the appropriate platform after download:

OpsCenter_LinuxR_x86_x86_64_80EEB_ET3913550_1.tar.gz RedHat x64 Installation

OpsCenter_LinuxS_x86_x86_64_80EEB_ET3913550_1.tar.gz Suse x64 Installation

OpsCenter_windows_AMD64_80EEB_ET3913550_1.zip Windows x64 Installation

OpsCenter_LinuxR_x86_x86_64_773EEB_ET3913549_1.tar.gz RedHat x64 Installation

OpsCenter_LinuxS_x86_x86_64_773EEB_ET3913549_1.tar.gz Suse x64 Installation

OpsCenter_windows_AMD64_773EEB_ET3913549_1.zip Windows x64 Installation

Checksums:

4209614721 63335555 all/OpsCenter_windows_AMD64_80EEB_ET3913550_1.zip

3063846324 63321102 all/OpsCenter_LinuxS_x86_x86_64_80EEB_ET3913550_1.tar.gz

2013841265 63321132 all/OpsCenter_LinuxR_x86_x86_64_80EEB_ET3913550_1.tar.gz

2604378182 63279071 all/OpsCenter_LinuxR_x86_x86_64_773EEB_ET3913549_1.tar.gz

933072777 63279039 all/OpsCenter_LinuxS_x86_x86_64_773EEB_ET3913549_1.tar.gz

1163191596 63301459 all/OpsCenter_windows_AMD64_773EEB_ET3913549_1.zip

Applies to the following product releases

NetBackup 8.0

Release date: 2016-12-05

End of support life: 2024-03-26

NetBackup 7.7.3

Release date: 2016-06-06

End of support life: 2023-05-05

Update files

	File name	Description	Version	Platform	Size

Choose an account to download the files you selected.