Forum Discussion

cyberninja's avatar
cyberninja
Level 6
10 years ago

Upgrading OpenSSL in NetBackup

Hello,

I'm having a security issue with NetBackup. Basically I need to upgrade the installed version of OpenSSL that came with NetBackup. If the OpenSSL is not effected by the current and past vulnerabilities then I need to see document from Symantec.

Theses are the files I need to upgrade
/usr/openv/pdde/pdopensource/bin/.bin/openssl
/usr/openv/pdde/pdopensource/bin/openssl
OpenSSL 0.9.8y

This is the version I need to be up to date.

  • OpenSSL  0.9.8za
  • OpenSSL  1.0.0m
  • OpenSSL  1.0.1h

I have had this issue before. Below is a link to by earlier post asking this question.
http://www.symantec.com/connect/forums/openssl-use-netbackup-7102

I have had this same issue with Java before. This the Symantec fix http://www.symantec.com/business/support/index?page=content&id=TECH148257
This fix is to use the OpenSSL that the OS is using.

Is there a way to do this for SSL?

I have opened a ticket with support and they don't know anything. They are not able to help me.

Can someone help me secure my sever.

7.5
Backup and Recovery
Best Practice
Defense & Intelligence
Federal Government
NetBackup
Not Applicable
Patch
Performance
Tip-How to
  • RiaanBadenhorst's avatar
    RiaanBadenhorst
    10 years ago

    Hi,

     

    Your previous post is 2 years old. In the last few month there was the Heartbleed vulnerabiity. Since then Symantec have release 7.6.0.2 to address it.

     

    http://www.symantec.com/docs/TECH216555

     

    https://www-secure.symantec.com/connect/forums/netbackup-7602-netbackup-76-maintenance-release-2-now-available

     

    Upgrade your systems.

9 Replies

Sort By
  • cyberninja's avatar
    cyberninja
    Level 6
    10 years ago

    Where did you get that chart? I can send thta info to my security people, so they will get off my ass.

  • RiaanBadenhorst's avatar
    RiaanBadenhorst
    Level 6
    10 years ago

    Your version is not affected since you're not on 7.6.

     

    4. Which versions of NetBackup & NetBackup Appliances are impacted by this vulnerability?

     

    Component Version Impacted?
    NetBackup 7.6 / 7.6.0.1 Yes
    NetBackup Versions prior to 7.6 No
    NetBackup Appliances 2.6 / 2.6.0.1 Yes
    NetBackup Appliances Versions prior to 2.6

    No
     
  • cyberninja's avatar
    cyberninja
    Level 6
    10 years ago

    This is a link to what I'm tring to patch.

    https://www-secure.symantec.com/connect/blogs/openssl-patches-critical-vulnerabilities-two-months-after-heartbleed

  • RiaanBadenhorst's avatar
    RiaanBadenhorst
    Level 6
    10 years ago

    Its fixed in 7.6.0.2. Thats why i listed the note. 7.6.0.3 will include all patches from previous versions.

  • cyberninja's avatar
    cyberninja
    Level 6
    10 years ago

    thanks for replying to my post. Does Netbackup 7.6.0.3 update OpenSSL to the latest patched versions I listed above.

    I'm not going to Mess with OpenSSL, unless I get help with this. I might remove it from the NEtBackup clients though, because we are not using it on the clients.

  • cyberninja's avatar
    cyberninja
    Level 6
    10 years ago

      Thanks for the infomation. We are not yet ready to upgrade to 7.6. The links don't say if they fix any of the security issues after the Hartbleed issue. So I'm not going to upgrade and find out that OpenSSL is still not fixed.

  • Nicolai's avatar
    Nicolai
    Moderator
    10 years ago

    You need to follow the OpenSSL version Symantec bundle with Netbackup. Messing with OpenSSL youself could result in a mailfunction of Netbackup

    Netbackup 7.6.0.3 is out by the way

  • RiaanBadenhorst's avatar
    RiaanBadenhorst
    Level 6
    10 years ago

    Hi,

     

    Your previous post is 2 years old. In the last few month there was the Heartbleed vulnerabiity. Since then Symantec have release 7.6.0.2 to address it.

     

    http://www.symantec.com/docs/TECH216555

     

    https://www-secure.symantec.com/connect/forums/netbackup-7602-netbackup-76-maintenance-release-2-now-available

     

    Upgrade your systems.