cancel
Showing results for 
Search instead for 
Did you mean: 

Upgrading OpenSSL in NetBackup

cyberninja
Level 6

Hello,

I'm having a security issue with NetBackup. Basically I need to upgrade the installed version of OpenSSL that came with NetBackup. If the OpenSSL is not effected by the current and past vulnerabilities then I need to see document from Symantec.

Theses are the files I need to upgrade
/usr/openv/pdde/pdopensource/bin/.bin/openssl
/usr/openv/pdde/pdopensource/bin/openssl
OpenSSL 0.9.8y

This is the version I need to be up to date.

  • OpenSSL  0.9.8za
  • OpenSSL  1.0.0m
  • OpenSSL  1.0.1h

I have had this issue before. Below is a link to by earlier post asking this question.
http://www.symantec.com/connect/forums/openssl-use-netbackup-7102

I have had this same issue with Java before. This the Symantec fix http://www.symantec.com/business/support/index?page=content&id=TECH148257
This fix is to use the OpenSSL that the OS is using.

Is there a way to do this for SSL?

I have opened a ticket with support and they don't know anything. They are not able to help me.

Can someone help me secure my sever.

1 ACCEPTED SOLUTION

Accepted Solutions

RiaanBadenhorst
Level 6
Partner    VIP    Accredited Certified

Hi,

 

Your previous post is 2 years old. In the last few month there was the Heartbleed vulnerabiity. Since then Symantec have release 7.6.0.2 to address it.

 

http://www.symantec.com/docs/TECH216555

 

https://www-secure.symantec.com/connect/forums/netbackup-7602-netbackup-76-maintenance-release-2-now-available

 

Upgrade your systems.

View solution in original post

9 REPLIES 9

RiaanBadenhorst
Level 6
Partner    VIP    Accredited Certified

Hi,

 

Your previous post is 2 years old. In the last few month there was the Heartbleed vulnerabiity. Since then Symantec have release 7.6.0.2 to address it.

 

http://www.symantec.com/docs/TECH216555

 

https://www-secure.symantec.com/connect/forums/netbackup-7602-netbackup-76-maintenance-release-2-now-available

 

Upgrade your systems.

Nicolai
Moderator
Moderator
Partner    VIP   

You need to follow the OpenSSL version Symantec bundle with Netbackup. Messing with OpenSSL youself could result in a mailfunction of Netbackup

Netbackup 7.6.0.3 is out by the way

cyberninja
Level 6

  Thanks for the infomation. We are not yet ready to upgrade to 7.6. The links don't say if they fix any of the security issues after the Hartbleed issue. So I'm not going to upgrade and find out that OpenSSL is still not fixed.

cyberninja
Level 6

thanks for replying to my post. Does Netbackup 7.6.0.3 update OpenSSL to the latest patched versions I listed above.

I'm not going to Mess with OpenSSL, unless I get help with this. I might remove it from the NEtBackup clients though, because we are not using it on the clients.

RiaanBadenhorst
Level 6
Partner    VIP    Accredited Certified

Its fixed in 7.6.0.2. Thats why i listed the note. 7.6.0.3 will include all patches from previous versions.

cyberninja
Level 6

This is a link to what I'm tring to patch.

https://www-secure.symantec.com/connect/blogs/openssl-patches-critical-vulnerabilities-two-months-after-heartbleed

RiaanBadenhorst
Level 6
Partner    VIP    Accredited Certified

Your version is not affected since you're not on 7.6.

 

4. Which versions of NetBackup & NetBackup Appliances are impacted by this vulnerability?

 

Component Version Impacted?
NetBackup 7.6 / 7.6.0.1 Yes
NetBackup Versions prior to 7.6 No
NetBackup Appliances 2.6 / 2.6.0.1 Yes
NetBackup Appliances Versions prior to 2.6

No
 

cyberninja
Level 6

Where did you get that chart? I can send thta info to my security people, so they will get off my ass.

RiaanBadenhorst
Level 6
Partner    VIP    Accredited Certified

In the note i posted originally.