Security Hot Fix! have you done this?

Genericus · ‎04-27-2016

Just got notified of this - anyone implemented it yet?

https://www.veritas.com/content/support/en_US/security/VTS16-001.html

Veritas Technologies LLC has released Security Advisory VTS16-001 affecting all versions of NetBackup and NetBackup Appliances prior to 7.7.2/2.7.2 and announced hotfix availability for the following versions:

NetBackup and NetBackup OpsCenter:

7.5.0.7
7.6.0.4
7.6.1.2
7.7
7.7.2 (for backwards compatibility)

Note: OpsCenter hotfixes are required for compatibility with monitored NetBackup servers which have the hotfix applied. OpsCenter itself is not affected by these issues.

NetBackup Appliances:

2.5.4
2.6.0.4
2.6.1.2
2.7.2 (for backwards compatibility)

NetBackup 9.1.0.1 on Solaris 11, writing to Data Domain 9800 7.7.4.0
duplicating via SLP to LTO5 & LTO8 in SL8500 via ACSLS

RLeon · ‎05-10-2016

Deb W: Thanks for the update! It is much better now.

Marianne: Me? I missed you guys too! Let's just say I had to go and join the dark side for a bit (read: other backup products) but hey I'm ready for rehab.

Genericus · ‎05-19-2016

IF you are 7.6.1.2, and you apply the EEB, you may lose the ability to adjust job priority. I certainly did.

Veritas was able to reproduce it, awaiting a fix....

NetBackup 9.1.0.1 on Solaris 11, writing to Data Domain 9800 7.7.4.0
duplicating via SLP to LTO5 & LTO8 in SL8500 via ACSLS

ejporter · ‎05-19-2016

Just checked.. Same here.. Let us know when you see a fix.

thanks!

Genericus · ‎05-24-2016

Confirmed as a "bug" by Veritas. Awaiting fix.

NetBackup 9.1.0.1 on Solaris 11, writing to Data Domain 9800 7.7.4.0
duplicating via SLP to LTO5 & LTO8 in SL8500 via ACSLS

D_Flood · ‎05-25-2016

It's not much help for anyone in a non-Windows shop but the Windows Admin Client for 7.6.1.2 still can change priorities.

I'm still forcing myself to use the Java Admin Console in anticipation of a 7.7 upgrade but it's never going to have even half the functionality of the Windows Admin Client...

Nicolai · ‎05-26-2016

Can you provide the Veritas bug ID or support case number - same issue here ?

Genericus · ‎05-26-2016

I have requested the bug ID ...

Here is the work around:

1. use the windows GUI - it can still set priority.

2. command line - I set up some aliases using bpdbjobs like

( once a SLP is running, priority is meaningless, I use it to track the final size so I have an idea of when it will complete.)

Here is some output, showing that job 10479251 is 2150GB, ( I set active at 40000) and 10474545 will go to 5901GB, but has already rolled to a new tape (I update the initial 4 to a 5), so I know I can run my vault without getting a pesky error 288.

10479251,4,1,,SLP_DD3-LTO5-EFS-8wk-Vault01,med01np-LTO5,1202191872,42150,E05956,
10474545,4,1,,SLP_DD3-LTO5-EFS-8wk-Vault01,med01np-LTO5,4382037504,55901,E07503,

NetBackup 9.1.0.1 on Solaris 11, writing to Data Domain 9800 7.7.4.0
duplicating via SLP to LTO5 & LTO8 in SL8500 via ACSLS

vmslives · ‎05-26-2016

We are running Netbackup 7.6.1 on WIndows Server 2012. Hotfix checks for min version of 7.6.1.2.

Tech notes confuse me (some say all versions < 7.7.2 need patch), others say 7.6.1.x need patch, but there is no patch for either 7.6.1 or 7.6.1.1

If I don't upgrade to 7.6.1.2, am I running a security risk since I cannot apply hotfix ? (or is patch not needed at 7.6.1)

TIA

Genericus · ‎05-26-2016

You should check, but as far as I know, EVERY old version is vulnerable. Although they only list back to 7.0.x

You must pick one of these:

Upgrade to Veritas NetBackup 7.7.2 or apply security hotfix for 7.7, 7.6.1.2, 7.6.0.4, 7.5.0.7 as a minimum

Step 1 - you must patch to one of these 5 hot fix versions - so for example you would HAVE to update to 7.6.1.2 - master/media and ALL clients

Step 2 - patch everything.

Veritas NetBackup

7.7.1, 7.6.1.x, 7.6.0.x,

7.5.x.x, 7.1.x, 7.0.x

Upgrade to Veritas NetBackup 7.7.2 or apply security hotfix for 7.7, 7.6.1.2, 7.6.0.4, 7.5.0.7 as a minimum

NetBackup 9.1.0.1 on Solaris 11, writing to Data Domain 9800 7.7.4.0
duplicating via SLP to LTO5 & LTO8 in SL8500 via ACSLS

sdo · ‎05-26-2016

@Genericus, can I ask three Qn) questions:.

.

1) You should check, but as far as I know, EVERY old version is vulnerable. Although they only list back to 7.0.x

Q1) Including v7.7.2 is vulnerable?

.

2) You must pick one of these:

ok

.

3) Upgrade to Veritas NetBackup 7.7.2 or apply security hotfix for 7.7, 7.6.1.2, 7.6.0.4, 7.5.0.7 as a minimum

ok

.

4) Step 1 - you must patch to one of these 5 hot fix versions - so for example you would HAVE to update to 7.6.1.2 - master/media and ALL clients

ok

.

5) Step 2 - patch everything.

Q5) You mean apply the security fix EEB to everything... including any existing v7.7.2 "Servers" and any existing v7.7.2 "Clients" ?

.

6) Veritas NetBackup

7.7.1, 7.6.1.x, 7.6.0.x,

7.5.x.x, 7.1.x, 7.0.x

Upgrade to Veritas NetBackup 7.7.2 or apply security hotfix for 7.7, 7.6.1.2, 7.6.0.4, 7.5.0.7 as a minimum

6) Is the right hand statement better expressed as:

Upgrade (Servers and Clients) to Veritas NetBackup 7.7.2 *AND* apply the v7.7.2 EEB to address the security vulnerability...

...*AND*...

...for any system (Server or Client) which cannot be upgraded to v7.7.2, then upgrade these systems to 7.7, 7.6.1.2, 7.6.0.4, 7.5.0.7 as a minimum *AND* apply the version specific EEB to address the security vulnerability.

Q6) Is this clearer?

Genericus · ‎05-26-2016

You should check with Veritas for the final answer - but it appears you only have to apply the EEB to 7.7.2 if you need to connect to earlier versions.

So a 7.7.2 master/media server may need the EEB if you have clients NOT at 7.7.2 or higher, and these clients would need the EEB.

https://www.veritas.com/support/en_US/article.000108248 - HotFix FAQ

If I upgrade to 7.7.2, do I need to install the hotfix on all 7.7.2 systems?

A. No. You only need to apply the 7.7.2 hotfix to 7.7.2 systems that are utilized to connect to back-level systems via the Java interface. For 2.7.2 Appliances, the eebinstaller will update the Java console binaries and is only needed if the console is being remotely displayed.

What this phrase means "that are utilized to connect to back-level systems via the Java interface" I am not certain. I only run the Java interface on my PC, and connect to the master. To be safe, I am applying the EEB to all my 7.6.1.2 systems AND every PC that has Java console installed.

Q1) Including v7.7.2 is vulnerable? NO

Q5) You mean apply the security fix EEB to everything... including any existing v7.7.2 "Servers" and any existing v7.7.2 "Clients" ? ONly if they connect to unsafe systems

Q6) Is this clearer? God I hope so.

NetBackup 9.1.0.1 on Solaris 11, writing to Data Domain 9800 7.7.4.0
duplicating via SLP to LTO5 & LTO8 in SL8500 via ACSLS

sdo · ‎05-26-2016

Q6) Is this clearer? God I hope so.

true lol...

...but... you gonna like this...

...not a lot...

sdo · ‎05-26-2016

If I have an environment of:

i) A Master/Media running v7.7.2

ii) No other media servers.

iii) Many clients already on v7.7.2

iv) A handful of clients that cannot be upgraded to NBU v7.7.2 are so are running NBU v7.6.1.2.

v) No other PCs/hosts running Java Admin Console (because Java Admin Console is run locally within the Master/Media).

.

Which systems above need the security EEB?

Genericus · ‎05-26-2016

You should check with Veritas - does it hurt to patch 7.7.2 unnecessarily? Not sure...

AFAIK - this is what I think would be required to patch

If I have an environment of:

i) A Master/Media running v7.7.2 - EEB 7.7.2 because of iv)

ii) No other media servers.

iii) Many clients already on v7.7.2

iv) A handful of clients that cannot be upgraded to NBU v7.7.2 are so are running NBU v7.6.1.2. - EEB 7.6.1.2

v) No other PCs/hosts running Java Admin Console (because Java Admin Console is run locally within the Master/Media).

However - I would likely patch all my clients, unless told not to.

NetBackup 9.1.0.1 on Solaris 11, writing to Data Domain 9800 7.7.4.0
duplicating via SLP to LTO5 & LTO8 in SL8500 via ACSLS

sdo · ‎05-27-2016

Cool - thank you so much Mr G for taking the time to reply... what I find really interesting about this whole saga... is... that it is still not easy to work out "what must be done" AND "what need not be done".

Even above you yourself would consider patching everything but still without knowing whether "we/you/I must", and I do see where you're coming from... but do we really have to?

Those of us (and I think you're in the same boat too) with many thousands of backup clients... well, I'll say it again, the TN and related docs for this EEB, IMO, aren't good enough.

This issue affects 100% of NetBackup customers globally.

More should have ben done by Veritas, and more still should be done by Veritas, to clarify exactly what must be done, and equally importantly clarify what does not need to be done.

We need to see both sides of the "topic"... i.e.

...do "A" because of "B"...

...and...

...do not do "C" because of "D"...

.

And all because... technical points are best defined when one describes what something is AND also describe what something is not.

Genericus · ‎05-27-2016

Agree, it would be REALLY nice to have an EEB check tool, maybe part of the Java GUI client properties, that would give EEB OK status.

There are likely too many potential variables, with OS, NB version and Binary versions to make it feasable, but it would be "nice"

I have scripted a check against my unix clients, but how do you check the windows ones?

for each client

ssh "cat /usr/openv/pack/pack.summary | grep 3865353" >> eeb.check

NetBackup 9.1.0.1 on Solaris 11, writing to Data Domain 9800 7.7.4.0
duplicating via SLP to LTO5 & LTO8 in SL8500 via ACSLS

VOX