Solved: Upgrading OpenSSL in NetBackup

cyberninja · ‎08-12-2014

Hello,

I'm having a security issue with NetBackup. Basically I need to upgrade the installed version of OpenSSL that came with NetBackup. If the OpenSSL is not effected by the current and past vulnerabilities then I need to see document from Symantec.

Theses are the files I need to upgrade
/usr/openv/pdde/pdopensource/bin/.bin/openssl
/usr/openv/pdde/pdopensource/bin/openssl
OpenSSL 0.9.8y

This is the version I need to be up to date.

OpenSSL 0.9.8za
OpenSSL 1.0.0m
OpenSSL 1.0.1h

I have had this issue before. Below is a link to by earlier post asking this question.
http://www.symantec.com/connect/forums/openssl-use-netbackup-7102

I have had this same issue with Java before. This the Symantec fix http://www.symantec.com/business/support/index?page=content&id=TECH148257
This fix is to use the OpenSSL that the OS is using.

Is there a way to do this for SSL?

I have opened a ticket with support and they don't know anything. They are not able to help me.

Can someone help me secure my sever.

RiaanBadenhorst · ‎08-12-2014

Hi,

Your previous post is 2 years old. In the last few month there was the Heartbleed vulnerabiity. Since then Symantec have release 7.6.0.2 to address it.

http://www.symantec.com/docs/TECH216555

https://www-secure.symantec.com/connect/forums/netbackup-7602-netbackup-76-maintenance-release-2-now-available

Upgrade your systems.

View solution in original post

RiaanBadenhorst · ‎08-12-2014

Hi,

Your previous post is 2 years old. In the last few month there was the Heartbleed vulnerabiity. Since then Symantec have release 7.6.0.2 to address it.

http://www.symantec.com/docs/TECH216555

https://www-secure.symantec.com/connect/forums/netbackup-7602-netbackup-76-maintenance-release-2-now-available

Upgrade your systems.

Nicolai · ‎08-13-2014

You need to follow the OpenSSL version Symantec bundle with Netbackup. Messing with OpenSSL youself could result in a mailfunction of Netbackup

Netbackup 7.6.0.3 is out by the way

cyberninja · ‎08-13-2014

Thanks for the infomation. We are not yet ready to upgrade to 7.6. The links don't say if they fix any of the security issues after the Hartbleed issue. So I'm not going to upgrade and find out that OpenSSL is still not fixed.

cyberninja · ‎08-13-2014

thanks for replying to my post. Does Netbackup 7.6.0.3 update OpenSSL to the latest patched versions I listed above.

I'm not going to Mess with OpenSSL, unless I get help with this. I might remove it from the NEtBackup clients though, because we are not using it on the clients.

RiaanBadenhorst · ‎08-13-2014

Its fixed in 7.6.0.2. Thats why i listed the note. 7.6.0.3 will include all patches from previous versions.

cyberninja · ‎08-13-2014

This is a link to what I'm tring to patch.

https://www-secure.symantec.com/connect/blogs/openssl-patches-critical-vulnerabilities-two-months-after-heartbleed

RiaanBadenhorst · ‎08-13-2014

Your version is not affected since you're not on 7.6.

4. Which versions of NetBackup & NetBackup Appliances are impacted by this vulnerability?

Component	Version	Impacted?
NetBackup	7.6 / 7.6.0.1	Yes
NetBackup	Versions prior to 7.6	No
NetBackup Appliances	2.6 / 2.6.0.1	Yes
NetBackup Appliances	Versions prior to 2.6	No

cyberninja · ‎08-14-2014

Where did you get that chart? I can send thta info to my security people, so they will get off my ass.

RiaanBadenhorst · ‎08-14-2014

In the note i posted originally.

VOX

Upgrading OpenSSL in NetBackup