10-21-2013 11:57 AM
Hello,
I was doing some security checks on my server and found out that the Symantec Deduplication Agent is using a old version of the OpenSSL. Is there a patch I can apply?
Info
package used on Solaris 10 for the Deduplication Agent - SYMCpddea - Version - 7.0.0.0
Netbackup master server - Solaris 10 - 7.5.0.4
Netbackup Media server -Solaris 10 - 7.5.0.4
Netbackup clients - Solaris 10 - 7.5.0.4
Symantec has a way to fix Java security issues by redirecting the Java to the system Java. http://www.symantec.com/business/support/index?page=content&id=TECH148257
Is there a work around like this for OpenSSL as well?
Thanks.
Solved! Go to Solution.
10-23-2013 03:16 PM
The 7.5.0.6 Release Notes mention that 0.9.8.y is included. Check out page 67:
As well, 7.6 should definitely contain one of the versions you mention above.
10-21-2013 12:28 PM
The only patch as such is a newer version of Netbackup software. NBU 7.5.0.6 is on the street - But I don't know if Symantec has upgraded OpenSSL.
A openssl vulnerability as reported for NBU 7.0.1 to 7.1 see http://www.symantec.com/docs/TECH159456
10-21-2013 02:10 PM
Unlike Java, it's not as simple as using the system OpenSSL libraries rather than the ones in the NetBackup package.
The version of OpenSSL used by Dedupe was updated in the NetBackup 7.5.0.6 patch release. That is the best course of action in this case.
10-22-2013 06:02 AM
Nice info. I don't think I can just remove the PDDE/OpenSSL. I will have to check to see if we are using dedupe on the client side.
I didn't use a scanner I used the find command.
find / -name openssl -type 2>/dev/null
<result> version -a
10-22-2013 06:11 AM
Before I recommend that we upgrade. I need to know if the ugrade will fix the issue.
The security people say I need one of the following: 0.9.8y, 1.0.0k or 1.0.1e.
The netbackup version is 0.9.8.r. Does the upgrade get me to the level I need?
10-23-2013 03:16 PM
The 7.5.0.6 Release Notes mention that 0.9.8.y is included. Check out page 67:
As well, 7.6 should definitely contain one of the versions you mention above.
10-24-2013 01:47 PM
The update fixes the issue. It updates OpenSSL to version 0.9.8.y.