Revision History

• 1.0: December 23, 2020: Initial version

Summary

Several Veritas products have a common vulnerability related to their use of OpenSSL. An attacker with local access to the system on which the Veritas application is installed can install malicious files on the system and then exploit the vulnerability to cause these files to then be loaded by the Veritas product and have the Veritas product execute the malicious software as a part of the Veritas application. Because of the type of access that is needed to perform their functions, Veritas applications typically have a type of administrator access on the system. By default, this access gives the application access to all files on the system. Thus, an attacker who exploits this vulnerability can potentially affect not just the Veritas application, but any data or any application running on the system. An attacker may be able to leverage data on a system to attack other systems.

Because of the critical nature of this vulnerability, customers who are under a current, valid support contract are urged to upgrade and/or apply a patch if and when it is made available by Veritas. If you cannot immediately upgrade/patch or if no upgrade/patch is made available for the version of software you’re using then there is a simple mitigation which can help prevent the vulnerability from being exploited. Details about upgrades/patches and mitigations can be found in the individual product security advisories listed below:

• APTARE
• Backup Exec
• CloudPoint (standalone)
• Desktop and Laptop Option
• Enterprise Vault
• InfoScale
• NetBackup and NetBackup OpsCenter
• Veritas Resiliency Platform
• Veritas System Recovery

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support).