Problem
How to verify if VTS16-001 ( Security Advisory Hotfix ) is applied to a NetBackup server/client?
Error Message
No error message is displayed during NetBackup operations if the VTS16-001 hotfix is not applied to a server/client.
Cause
Vulnerability scanners can report that NetBackup server/clients are vulnerable to CVE's listed in the VTS16-001 advisory even if the servers/clients contain the VTS16-001 advisory hotfix.
Solution
The examples below show how to verify a NetBackup 7.7 Master Server (Unix and Windows) has the VTS-16-001 Security Advisory hotfix applied.
Translation Notice
Please note that this content includes text that has been machine-translated from English. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.
Abstract
VTS16-001: Hotfix for Security Advisory impacting NetBackup Appliance, Master servers, Media servers and Clients.
Description
Hotfix for Security Advisory VTS16-001, which addresses NetBackup Remote Access Vulnerabilities. Note: OpsCenter hotfixes are required for compatibility with monitored NetBackup servers which have the hotfix applied. OpsCenter itself is not affected by these issues.
Applies to the following product releases
Please note that this content includes text that has been machine-translated from English. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.
Knowledge base
Severity Security Vulnerability Description Veritas Technologies LLC has released Security Advisory VTS16-001 affecting all versions of NetBackup and NetBackup Appliances prior to 7.7.2/2.7.2 and announced hotfix availability for the following ve...
Does plugin use CVSS v3?
The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Is Veritas NetBackup 7.x?
The Veritas NetBackup installation on the remote Windows host is 7.x prior to version 7.7.2 or is missing a vendor supplied hotfix. It is, therefore, affected by multiple vulnerabilities :
Summary
Multiple vulnerabilities in Veritas NetBackup and Veritas NetBackup Appliance.
Questions
If you have any questions about any information in this security advisory please contact Veritas technical support.
Acknowledgement
Veritas would like to thank Sven Blumenstein and Xiaoran Wang from the Google Security Team for reporting these vulnerabilities.
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
