CVE-2022-45461: Veritas NetBackup OS Command Injection Vulnerability

Veritas informed customers last week that it has patched a high vulnerability in its NetBackup product.

NetBackup is powered by Cloud Scale Technology—Cloud Scale Technology is a new generation of proven NetBackup architecture, modernized to operate at a web-scale and provide a foundation for our vision to deliver autonomous data management. NetBackup is the only solution to offer the fully automated movement of cloud-based workloads to lower-cost tiers of storage, either on-premises or in the cloud.

Veritas fixed CVE-2022-45461 (CVSS score: 7.5), a high OS command injection vulnerability that affects NetBackup versions 8,9, and 10 and NetBackup Appliance versions 3,4, and 5.

The bug was caused by an OS Command Injection vulnerability in the Java Admin Console. An attacker could exploit this vulnerability to execute arbitrary commands as root.

“A vulnerability in the NetBackup Java Admin Console allows authenticated non-root users that have been explicitly added to the auth.conf file to execute arbitrary commands as root,” Veritas explained. “The /usr/openv/java/auth.conf file grants access to functions in the NetBackup Administration Console. This file is created by default with only root having administrative rights. This file is present on Primary Servers, Media Servers and Clients.”

Updates that patch the flaw have been released for both NetBackup and Appliance. This affects only Unix-based servers and clients. Windows-based servers and clients are unaffected.

According to the website description, “87% of the Fortune Global 500 choose NetBackup.” So The impact of CVE-2022-45461 is very huge.

Veritas has made no mention of any of the vulnerabilities being exploited in attacks, it’s recommended that users apply the patch released by the company to mitigate potential risks.