Revision History

  • 1.0: July 13, 2022 – Initial Release
  • 2.0: July 18, 2022 – Updated to include additional issues

Remedial Actions

To address all the vulnerabilities listed below, upgrade to version 8.3.0.2, 9.0.0.1, 9.1.0.1, or 10.0 and apply the appropriate HotFix linked above.

Issue

Issue #1: Unauthorized account creation, modification

Under specific conditions an authenticated remote attacker may be able to create or modify accounts.

  • CVE ID: CVE-2022-36954
  • Severity: Critical
  • CVSS v3.1 Base Score: 9.9 (/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
  • Affected Versions: 10.0 and earlier
  • Recommended actions:
    • Review OpsCenter user accounts to ensure this vulnerability has not been exploited in your OpsCenter implementation. Use these instructions to view the OpsCenter user account information.
    • Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1, or 10.0 and apply the appropriate HotFix.

Issue #2: Remote command execution.

An unauthenticated remote attacker may compromise the host by exploiting an incorrectly patched vulnerability.

  • CVE ID: CVE-2022-36951
  • Severity: Critical
  • CVSS v3.1 Base Score: 9.8 (/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • Affected Versions: 9.1.0.1 and earlier
  • Recommended action: Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1, or 10.0 and apply the HotFix as needed.

Issue #3: Remote command execution.

An unauthenticated remote attacker may be able to perform a remote command execution through a Java classloader manipulation.

Issue #4: Path Traversal vulnerability

NetBackup OpsCenter may be vulnerable to a Path Traversal attack via esapi-2.2.3.1 third party component.

Issue #5: Local privilege escalation

An attacker with local access to a NetBackup OpsCenter server could potentially escalate their privileges.

Issue #6: Hard coded credentials vulnerability

A hard-coded credential was discovered in NetBackup OpsCenter that could be used to exploit the underlying VxSS subsystem

Issue #7: DOM XSS vulnerability

NetBackup OpsCenter is vulnerable to a DOM XSS attack.

  • CVE ID: CVE-2022-36948
  • Severity: Medium
  • CVSS v3.1 Base Score: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
  • Affected Versions: 10.0 and earlier
  • Recommended action: Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1, or 10.0 and apply the appropriate HotFix.

Issue #8: Information leakage

Certain OpsCenter endpoints could allow an unauthenticated remote attacker to gain sensitive information.

Notes

You may also use the NetBackup HotFix and EEB Release Auditor on SORT to check if a previous Emergency Engineering Binary (EEB) or HotFix was delivered in a released product version. This information is also available in the NetBackup Emergency Engineering Binary Guide for that version. If you do not see information related to a HotFix or an EEB you expected, please contact Veritas Technical Support.

Questions

For questions or problems regarding this vulnerability please contact Veritas Technical Support (https://www.veritas.com/support)

Acknowledgement

Veritas would like to thank the following Airbus Security Team members for notifying us about several of the issues in this advisory: Mouad Abouhali, Benoit Camredon, Nicholas Devillers, Anais Gantet, and Jean-Romain Garnier.

Disclaimer

AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054