A security vulnerability exists in MySQL version 3.23.58. This version of MySQL is shipped with the VERITAS NetBackup (tm) 4.5, 5.0, & 5.1 Advanced Reporter Option and Global Data Manager Option.

Article:TECH43327  |  Created: 2005-01-23  |  Updated: 2013-10-23  |  Article URL http://www.symantec.com/docs/TECH43327
Article Type
Technical Solution

Product(s)

Environment

Issue



A security vulnerability exists in MySQL version 3.23.58. This version of MySQL is shipped with the VERITAS NetBackup (tm) 4.5, 5.0, & 5.1 Advanced Reporter Option and Global Data Manager Option.

Solution



What is Affected
This issue is known to affect the following NetBackup products, on both UNIX and Windows platforms:

  • NetBackup Advanced Reporter Option:  All current versions, as of the date of this publication.
  • NetBackup Global Data Manager Option:  All current versions, as of the date of this publication.

A security vulnerability is known to exist in MySQL version 3.23.58.  This version of MySQL is shipped with the NetBackup Advanced Reporter (NBAR) & NetBackup Global Data Manager (GDM) Options.  Additional details about the vulnerability can be found at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0835


MySQL 3.x before 3.23.59, 4.x before 4.0.19, 4.1.x before 4.1.2, and 5.x before 5.0.1, checks the CREATE/INSERT rights of the original table instead of the target table in an ALTER TABLE RENAME operation, which could allow attackers to conduct unauthorized activities.  

The risk for this issue will be significantly mitigated for systems behind a firewall that is configured for at least privileged use.

How to Determine if Affected
All versions of NBAR and GDM, released up to the time of this publication, and running on either Windows or UNIX platforms, are known to be affected. It is considered a "Best Practice" to always run applications, such as NetBackup, behind a firewall or some other external boundary protection that controls traffic coming on and off the local network. Running NetBackup inside a secured network perimeter will help minimize exposure to exploitation of this vulnerability from attacks originating outside the local network.

Reducing Exposure to the MySQL Security Vulnerability
NBAR:
By default, NBAR uses port 3306 for the MySQL NBAR database daemon, ardbd. In order to reduce exposure to the security vulnerabilities block port 3306 and allow access only for trusted clients. The trusted clients would have to include the GDM Managed Servers to display GDM and NBAR reports. Optionally, it is possible to disallow all remote access and use NBAR only on the local console.  Some of the listed vulnerabilities require local access. Verifying that all local users are trusted will also reduce the exposure to this vulnerability.

GDM:
Symantec strongly suggests modifying the NetBackup configuration, so the MySQL GDM database daemon runs as a non-privileged user on UNIX.

On UNIX, the MySQL server nbdbd can be started and run by any user.
In order to change nbdbd to run as a normal unprivileged UNIX user "user_name", do the following:

1. Stop the NetBackup services using ./netbackup stop command in /usr/openv/netbackup/bin/goodies.

2. Change the database directories and files so user_name has privileges to read and write files in them (this may need to be done as the UNIX root user):

chown -R user_name /usr/openv/db/var/

If directories or files within the MySQL data directory are symbolic links, follow those links and change the directories and files to which they point. The command chown -R might not follow symbolic links.

3. Start the nbdbd server as user user_name. For this, modify line 103 in /usr/openv/netbackup/bin/admincmd/nbdbdmon to user=user_name.

4. After this, start NetBackup services using ./netbackup start command.

By default, GDM uses port 13784 for the MySQL GDM database daemon. In order to reduce exposure to the security vulnerabilities block port 13784 allowed access only for trusted clients. Access needs to be permitted for any GDM managed server. Some of the listed vulnerabilities require local access to the database daemon. Verifying that all local users are trusted will also reduce the exposure to these vulnerabilities.

Mitigating Security Vulnerabilities
In order to mitigate security vulnerabilities, Symantec strongly recommends reviewing your current security policy to ensure the following are included in the policy:

1.  Run NetBackup behind a firewall or some other external boundary protection that controls traffic coming in and off the network.
2.  Run  NetBackup at least-privilege access
3.  If remote access is required, allow access to only those IP addresses requiring remote access
4.  Deploy network intrusion detection systems to monitor network traffic for signs of malicious, anomalous, or suspicious activity.  This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities.

Formal Resolution
This vulnerability is addressed by MySQL in version 3.23.59 or later of MySQL.  Symantec software has incorporated MySQL 3.23.59 in the NetBackup 5.0 and 5.1 release trains.  To resolve this issue, it patch to one of the versions of NetBackup shown below:

  • For NetBackup 5.1, upgrade to NetBackup MP4
  • For NetBackup 5.0, upgrade to NetBackup MP6

Symantec takes any security issue extremely seriously and is working to test and incorporate this new MySQL version into the 4.5 release train as quickly as possible.  Symantec's NetBackup Engineers have tested NetBackup 4.5 using MySQL 3.23.59, but have not yet released patch with contains the appropriate binaries.  To obtain a fix for NetBackup 4.5, it is necessary to apply NetBackup MP9 or FP9, and contact Symantec Enterprise Technical Support for the MySQL binary.

Please note that during testing, an additional issue with HP/UX and GDM was discovered.  Upon starting visd, visd terminates with the error "Error initializing ODBC Persistent Store".  Customers using this solution require an additional binary, which is available by contacting Symantec Enterprise Technical Support.  

If you have any questions or concerns about this issue, as it relates to NetBackup, please contact Symantec Enterprise Technical Support.  

For any questions specific to MySQL, please contact MySQL:    http://www.mysql.com/support/


If you have not received this TechAlert from the Symantec Email Notification Service for Software Alerts, please subscribe at the following link:    
 http://maillist.support.veritas.com/subscribe.asp


Supplemental Materials

SourceETrack
Value363236
DescriptionNBAR shipping with vulnerable version of mysql

SourceETrack
Value417207
DescriptionMySQL security issue

SourceETrack
Value420628
Description[GDM] Update MySQL version 3.23.59 is killing visd process on Hp-Ux.


Legacy ID



278663


Article URL http://www.symantec.com/docs/TECH43327


Terms of use for this information are found in Legal Notices