VTS22-019

Hotfix for Security Advisory Impacting NetBackup Flex Scale and Access Appliance

Revision History

  • 1.0: November 30, 2022 – Initial Public Release
  • 1.1: December 8, 2022 – Added CVE IDs received from NIST

Summary

Veritas has addressed vulnerabilities impacting both NetBackup Flex Scale and Access Appliance

Issues

Issue #1 - Unauthenticated Remote Command Execution

Access Appliance and NetBackup Flex Scale are vulnerable to an unauthenticated remote command execution vulnerability.

  • CVE ID: CVE-2022-46414
  • Severity: Critical
  • CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • Affected Product & Version:
    • NetBackup Flex Scale 3.0 and prior
    • Access Appliance 8.0.100 and prior
  • Recommended Action:
    • NetBackup Flex Scale: Upgrade to version 3.0 and apply HotFix
    • Access Appliance: Upgrade to 7.4.3.300 or 8.0.100 and apply corresponding HotFix.

Issue #2 – Authenticated Remote Command Execution

Access Appliance and NetBackup Flex Scale are vulnerable to an authenticated remote command execution vulnerability

  • CVE ID: CVE-2022-46413
  • Severity: High
  • CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
  • Affected Product & Version:
    • NetBackup Flex Scale 3.0 and prior
    • Access Appliance 8.0.100 and prior
  • Recommended Action:
    • NetBackup Flex Scale: Upgrade to version 3.0 and apply HotFix
    • Access Appliance: Upgrade to version 7.4.3.300 or 8.0.100 and apply corresponding HotFix.

Issue #3 – Default Credentials Persisted for Primary User

A default password is persisted after installation and may be discovered and used to escalate privileges.

  • CVE ID: CVE-2022-46411
  • Severity: High
  • CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
  • Affected Product & Version:
    • NetBackup Flex Scale 3.0 and prior
    • Access Appliance 8.0.100 and prior
  • Recommended Action:
    • NetBackup Flex Scale: Upgrade to version 3.0 and apply HotFix
    • Access Appliance: Upgrade to 7.4.3.300 or 8.0.100 and apply corresponding HotFix.

Issue #4 – Restricted Shell Allows Escape to Regular Shell

It is possible for a non-privileged user to escape a restricted shell and execute privileged commands.

  • CVE ID: CVE-2022-46412
  • Severity: High
  • CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
  • Affected Product & Version:
    • NetBackup Flex Scale 3.0 and prior
  • Recommended Action:
    • NetBackup Flex Scale: Upgrade to version 3.0 and apply HotFix

Issue #5 – Shell Privilege Escalation

An attacker with non-root privileges may escalate privileges to root using specific commands.

  • CVE ID: CVE-2022-46410
  • Severity: High
  • CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
  • Affected Product & Version:
    • NetBackup Flex Scale 3.0 and prior
  • Recommended Action:
    • NetBackup Flex Scale: Upgrade to version 3.0 and apply HotFix

Notes

To download the appropriate Hot Fix for NetBackup Flex Scale or Access Appliance, please see the Veritas Support Download page.

Questions

For questions or problems regarding this vulnerability please contact Veritas Technical Support (https://www.veritas.com/support)

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. ANY FORWARD-LOOKING INDICATION OF PLANS FOR PRODUCTS IS PRELIMINARY AND ALL FUTURE RELEASE DATES ARE TENTATIVE AND ARE SUBJECT TO CHANGE. ANY FUTURE RELEASE OF THE PRODUCT OR PLANNED MODIFICATIONS TO PRODUCT CAPABILITY, FUNCTIONALITY, OR FEATURE ARE SUBJECT TO ONGOING EVALUATION BY VERITAS, AND MAY NOT BE IMPLEMENTED AND SHOULD NOT BE CONSIDERED FIRM COMMITMENTS BY VERITAS AND SHOULD NOT BE RELIED UPON IN MAKING DECISIONS.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054