Security Maintenance Pack NB_50_5S2A_M.solaris.tar provides security-related fixes for VERITAS NetBackup (tm) Enterprise Server / Server 5.0 on Solaris servers.
| Article:TECH45510 | | | Created: 2005-01-14 | | | Updated: 2005-01-14 | | | Article URL http://www.symantec.com/docs/TECH45510 |
Problem
Security Maintenance Pack NB_50_5S2A_M.solaris.tar provides security-related fixes for VERITAS NetBackup (tm) Enterprise Server / Server 5.0 on Solaris servers.
Solution
NB 5.0GA Pack NB_50_5S2A_M
README December
10, 2005
Requirement: NB_CLT_50_5S2_M NB_50_5_M
================================================================================
**THIS SECURITY MAINTENANCE PACK MUST BE INSTALLED OVER THE NETBACKUP 5.0GA PACK
NB_50_5_M MAINTENANCE PACK. ANY ATTEMPT TO INSTALL THIS PACK OVER AN EARLIER
VERSION OF NETBACKUP 5.0 WILL RESULT IN A FAILED INSTALL.**
**Please note that this server pack (NB_50_5S2A_M_<6 digit number>.<server>.tar)
requires and is co-required by client pack NB_CLT_50_5S2_M_<6 digit number>.tar.
There is no NB_CLT_5S2A_M pack.**
Symantec recommends that the backing up of active file systems be avoided,
or the use of snapshot technologies be implemented. The directory structure
reported back from the file system (to NetBackup) may not contain all of the
files available during the time of backup. NetBackup will not report errors
in many cases where the file's existence is not known to NetBackup as reported
by the file system.
(Please refer to the PACK DEPENDENCIES and the RELATED DOCUMENTS sections of
this Readme for additional information that applies to this pack.)
==================
PACK DEPENDENCIES
==================
-- NB_50_5_M_<6 digit number>.<server>.tar must be installed before this
Maintenance Pack is installed.
-- NB_CLT_50_5S2_M_<6 digit number>.tar must be installed before this
Maintenance Pack is installed.
-- Installation of this Maintenance Pack requires version 1.17.4.25.2.3 of
the Vrts_pack.install script.
I. DOWNLOAD INSTRUCTIONS
II. INSTALLATION INSTRUCTIONS
III. UNINSTALL INSTRUCTIONS
IV. DESCRIPTION OF PROBLEMS FIXED
Current Pack
NB_50_5S1320_M
=========================
I. DOWNLOAD INSTRUCTIONS
=========================
1) Download the NB_CLT_50_5S2_M_<6 digit number>.tar and
NB_50_5S2A_M_<6 digit number>.<server>.tar files into the
/tmp directory,
where <6 digit number> is an internal tracking identifier
where <server> is alpha_5, hp_ux, linux, rs6000, sgi, solaris
NOTE: NB_CLT_50_5S2_M_<6 digit number>.tar has the client binaries and
NB_50_5S2A_M_<6 digit number>.<server>.tar has the server binaries and BOTH
must be installed.
2) Extract the NB_CLT_50_5S2_M_<6 digit number>.tar and the
NB_50_5S2A_M_<6 digit number>.<server>.tar files.
tar xvf NB_CLT_50_5S2_M_<6 digit number>.tar
tar xvf NB_50_5S2A_M_<6 digit number>.<server>.tar
NB_50_5S2A_M will create the files:
VrtsNB_50_5S2A_M.README
VrtsNB_50_5S2A_M.<server>.tar.Z
VrtsNB_50_5S2A_M.postuninstall
VrtsNB_50_5S2A_M.postinstall
VrtsNB_50_5S2A_M.preinstall
Vrts_pack.install
NB_CLT_50_5S2_M will create the files:
VrtsNB_CLT_50_5S2_M.README
VrtsNB_CLT_50_5S2_M.tar.Z
VrtsNB_CLT_50_5S2_M.postuninstall
VrtsNB_CLT_50_5S2_M.postinstall
VrtsNB_CLT_50_5S2_M.preinstall
===============================
II. INSTALLATION INSTRUCTIONS
===============================
NOTE: For Maintenance Pack installation on a UNIX Cluster Environment:
1) Ensure that prior to installing the maintenance pack, NetBackup is at
release level 5.0 MP5 and configured to run in a cluster.
2) Freeze the NetBackup group (This will avoid a 'failover' during a patch
installation).
3) Install this Maintenance Pack on the inactive node(s) of the cluster
(follow steps 1-3 below).
4) Install this Maintenance Pack on the active node of the cluster (follow
steps 1-3 below).
5) Unfreeze the NetBackup group.
--------------------------------------------------------------------------------
As root on the NetBackup Master Server:
1) This pack contains a full release of the IBMzSeries Linux 2.4.21 client. If
you intend to install this client type, you must first create the following
directory:
mkdir /usr/openv/netbackup/client/Linux/IBMzSeriesLinux2.4.21
If you intend to install the Encryption libraries for this client type,
create the following directory:
mkdir /usr/openv/lib/client/Linux/IBMzSeriesLinux2.4.21
2) Install NB_50_5S2A_M and NB_CLT_50_5S2_M Maintenance Pack binaries.
cd /tmp
/bin/sh Vrts_pack.install
3) Restart daemons.
/usr/openv/netbackup/bin/initbprd
/usr/openv/volmgr/bin/ltid -v
4) Update the NetBackup clients, including the NetBackup master and media
servers, with the update_clients script.
/usr/openv/netbackup/bin/update_clients <hardware> <os>
where <hardware> <os> is one of the following:
ALPHA OSF1_V5
HP9000-700 HP-UX11.00
HP9000-800 HP-UX11.00
HP9000-700 HP-UX11.11
HP9000-800 HP-UX11.11
Linux IBMzSeriesLinux2.4
Linux IBMzSeriesLinux2.4.21
INTEL FreeBSD4.5
Linux RedHat2.4
MACINTOSH MacOSXS10.2
RS6000 AIX4.3.3
RS6000 AIX5
SCO UnixWare7.1
SGI IRIX65
Solaris Solaris7
Solaris Solaris8
Solaris Solaris9
Solaris Solaris10 *
Solaris Solaris_x86_7
Solaris Solaris_x86_8
* - For "Solaris Solaris10" to show when configuring clients into a
backup policy, the following command must be executed:
/usr/openv/netbackup/bin/goodies/new_clients
Only Solaris 10 running on a Sparc is supported. Solaris 10
running on an X86 system is not supported.
Remember to include the master server's <hardware> <os> type.
Note: The /usr/openv/netbackup/bin/update_clients command without
any parameters will update all the UNIX clients.
Note: When updating an RS6000 client, there may be circumstances
where update_clients will fail with an error similar to
this:
Couldn't open /usr/openv/lib/libVmangle.so on client
Client open errno = 26
If this happens, execute /usr/sbin/slibclean on the client
to be updated and re-run update_clients.
If the client (CLT) .Z file and README exist in the installation
directory during the installation of the server maintenance pack,
the Vrts_pack.install script will install the client maintenance pack
automatically. The client maintenance pack will NOT be installed
automatically during a reinstall of the server maintenance pack.
Additional Notes:
If non-root administrators use the GUI only, the nonroot_admin
script no longer needs to be run. If the non-root administrators
use the command line or bpadm, the group and file permissions
will have to be changed manually on the NetBackup binaries.
Users can writer their own script. The script is being phased
out because there is a slight security risk that non-root users
may be able to execute NetBackup commands only because those users
are part of a group that is allowed to execute NetBackup commands.
For "Solaris Solaris10" to show when configuring clients
into a backup policy, the following command must be executed:
/usr/openv/netbackup/bin/goodies/new_clients
===========================
III. UNINSTALL INSTRUCTIONS
===========================
Note: This will ONLY uninstall the Maintenance Pack from your local machine.
1) Close the NetBackup user interfaces.
Make sure the NetBackup server has no active jobs running (for
example, backups, restores, or duplications).
If a database agent is being used, such as Oracle,
ensure that the database services are stopped.
2) Change directory to the pack save directory.
Substitute the pack name for $PACK in the following command:
cd /usr/openv/pack/$PACK/save
3) Run the un-install script:
./Vrts_pack.uninstall
4) Verify that the pack uninstalled successfully by checking
/usr/openv/pack/pack.history.
5) If update_clients was run after the pack was originally INSTALLED,
run it again after that pack is successfully UNINSTALLED.
6) If necessary, restart the NetBackup and Media Manager daemons:
/usr/openv/netbackup/bin/goodies/netbackup start
=================================
IV. DESCRIPTION OF PROBLEMS FIXED
=================================
The following are descriptions of the problems fixed. Please read the
entire document before installing.
A vulnerability has been confirmed in the NetBackup Volume Manager
daemon. Please refer to the Current Pack section for more information.
README Conventions:
Description
Describes a particular problem or feature contained in this Maintenance
Pack.
** Description **
Describes a problem that can lead to potential data loss. Please
read these problem descriptions carefully.
Workaround
Any available workarounds to a problem are also listed. Workarounds
can be used INSTEAD of applying the patch, however, Symantec strongly
recommends the "best practice" of being at the latest patch level.
Additional Notes
Any additional information regarding this problem or feature is included.
=============
Current pack
=============
================================================================================
Etrack Incident = ET429810 ET494465 ET498549
Description:
A vulnerability has been confirmed in the NetBackup Volume Manager
daemon (vmd). By sending a specially crafted packet to the Volume Manager,
a stack overflow occurs. This is caused by improper bounds checking.
Exploitation does not require authentication, thereby allowing a remote
attacker to take over the system or disrupt the backup capabilities.
Further testing and code inspection has revealed that all other
NetBackup 5.1 daemons are potentially affected in the same manner.
Therefore, any Master Servers, Media Servers, Clients and Console machines
at this version level are subject to this vulnerability. However,
NetBackup 5.1 database agents are not affected by this issue.
Refer to the Related Document section for more details.
================================================================================
==============
NB_50_5S1320_M
==============
Etrack Incident = ET427044
Description:
A change has been made to avert a potential vulnerability in a Java
authentication service that runs on VERITAS NetBackup servers and clients.
This change prohibits remote attackers from executing arbitrary code on a
targeted system. In addition, Symantec recommends that users block the
affected ports from external network access.
(NetBackup Servers and Clients)
================================================================================
Requirement: NB_CLT_50_5S2_M NB_50_5_M
================================================================================
**THIS SECURITY MAINTENANCE PACK MUST BE INSTALLED OVER THE NETBACKUP 5.0GA PACK
NB_50_5_M MAINTENANCE PACK. ANY ATTEMPT TO INSTALL THIS PACK OVER AN EARLIER
VERSION OF NETBACKUP 5.0 WILL RESULT IN A FAILED INSTALL.**
**Please note that this server pack (NB_50_5S2A_M_<6 digit number>.<server>.tar)
requires and is co-required by client pack NB_CLT_50_5S2_M_<6 digit number>.tar.
There is no NB_CLT_5S2A_M pack.**
Symantec recommends that the backing up of active file systems be avoided,
or the use of snapshot technologies be implemented. The directory structure
reported back from the file system (to NetBackup) may not contain all of the
files available during the time of backup. NetBackup will not report errors
in many cases where the file's existence is not known to NetBackup as reported
by the file system.
(Please refer to the PACK DEPENDENCIES and the RELATED DOCUMENTS sections of
this Readme for additional information that applies to this pack.)
==================
PACK DEPENDENCIES
==================
-- NB_50_5_M_<6 digit number>.<server>.tar must be installed before this
Maintenance Pack is installed.
-- NB_CLT_50_5S2_M_<6 digit number>.tar must be installed before this
Maintenance Pack is installed.
-- Installation of this Maintenance Pack requires version 1.17.4.25.2.3 of
the Vrts_pack.install script.
I. DOWNLOAD INSTRUCTIONS
II. INSTALLATION INSTRUCTIONS
III. UNINSTALL INSTRUCTIONS
IV. DESCRIPTION OF PROBLEMS FIXED
Current Pack
NB_50_5S1320_M
=========================
I. DOWNLOAD INSTRUCTIONS
=========================
1) Download the NB_CLT_50_5S2_M_<6 digit number>.tar and
NB_50_5S2A_M_<6 digit number>.<server>.tar files into the
/tmp directory,
where <6 digit number> is an internal tracking identifier
where <server> is alpha_5, hp_ux, linux, rs6000, sgi, solaris
NOTE: NB_CLT_50_5S2_M_<6 digit number>.tar has the client binaries and
NB_50_5S2A_M_<6 digit number>.<server>.tar has the server binaries and BOTH
must be installed.
2) Extract the NB_CLT_50_5S2_M_<6 digit number>.tar and the
NB_50_5S2A_M_<6 digit number>.<server>.tar files.
tar xvf NB_CLT_50_5S2_M_<6 digit number>.tar
tar xvf NB_50_5S2A_M_<6 digit number>.<server>.tar
NB_50_5S2A_M will create the files:
VrtsNB_50_5S2A_M.README
VrtsNB_50_5S2A_M.<server>.tar.Z
VrtsNB_50_5S2A_M.postuninstall
VrtsNB_50_5S2A_M.postinstall
VrtsNB_50_5S2A_M.preinstall
Vrts_pack.install
NB_CLT_50_5S2_M will create the files:
VrtsNB_CLT_50_5S2_M.README
VrtsNB_CLT_50_5S2_M.tar.Z
VrtsNB_CLT_50_5S2_M.postuninstall
VrtsNB_CLT_50_5S2_M.postinstall
VrtsNB_CLT_50_5S2_M.preinstall
===============================
II. INSTALLATION INSTRUCTIONS
===============================
NOTE: For Maintenance Pack installation on a UNIX Cluster Environment:
1) Ensure that prior to installing the maintenance pack, NetBackup is at
release level 5.0 MP5 and configured to run in a cluster.
2) Freeze the NetBackup group (This will avoid a 'failover' during a patch
installation).
3) Install this Maintenance Pack on the inactive node(s) of the cluster
(follow steps 1-3 below).
4) Install this Maintenance Pack on the active node of the cluster (follow
steps 1-3 below).
5) Unfreeze the NetBackup group.
--------------------------------------------------------------------------------
As root on the NetBackup Master Server:
1) This pack contains a full release of the IBMzSeries Linux 2.4.21 client. If
you intend to install this client type, you must first create the following
directory:
mkdir /usr/openv/netbackup/client/Linux/IBMzSeriesLinux2.4.21
If you intend to install the Encryption libraries for this client type,
create the following directory:
mkdir /usr/openv/lib/client/Linux/IBMzSeriesLinux2.4.21
2) Install NB_50_5S2A_M and NB_CLT_50_5S2_M Maintenance Pack binaries.
cd /tmp
/bin/sh Vrts_pack.install
3) Restart daemons.
/usr/openv/netbackup/bin/initbprd
/usr/openv/volmgr/bin/ltid -v
4) Update the NetBackup clients, including the NetBackup master and media
servers, with the update_clients script.
/usr/openv/netbackup/bin/update_clients <hardware> <os>
where <hardware> <os> is one of the following:
ALPHA OSF1_V5
HP9000-700 HP-UX11.00
HP9000-800 HP-UX11.00
HP9000-700 HP-UX11.11
HP9000-800 HP-UX11.11
Linux IBMzSeriesLinux2.4
Linux IBMzSeriesLinux2.4.21
INTEL FreeBSD4.5
Linux RedHat2.4
MACINTOSH MacOSXS10.2
RS6000 AIX4.3.3
RS6000 AIX5
SCO UnixWare7.1
SGI IRIX65
Solaris Solaris7
Solaris Solaris8
Solaris Solaris9
Solaris Solaris10 *
Solaris Solaris_x86_7
Solaris Solaris_x86_8
* - For "Solaris Solaris10" to show when configuring clients into a
backup policy, the following command must be executed:
/usr/openv/netbackup/bin/goodies/new_clients
Only Solaris 10 running on a Sparc is supported. Solaris 10
running on an X86 system is not supported.
Remember to include the master server's <hardware> <os> type.
Note: The /usr/openv/netbackup/bin/update_clients command without
any parameters will update all the UNIX clients.
Note: When updating an RS6000 client, there may be circumstances
where update_clients will fail with an error similar to
this:
Couldn't open /usr/openv/lib/libVmangle.so on client
Client open errno = 26
If this happens, execute /usr/sbin/slibclean on the client
to be updated and re-run update_clients.
If the client (CLT) .Z file and README exist in the installation
directory during the installation of the server maintenance pack,
the Vrts_pack.install script will install the client maintenance pack
automatically. The client maintenance pack will NOT be installed
automatically during a reinstall of the server maintenance pack.
Additional Notes:
If non-root administrators use the GUI only, the nonroot_admin
script no longer needs to be run. If the non-root administrators
use the command line or bpadm, the group and file permissions
will have to be changed manually on the NetBackup binaries.
Users can writer their own script. The script is being phased
out because there is a slight security risk that non-root users
may be able to execute NetBackup commands only because those users
are part of a group that is allowed to execute NetBackup commands.
For "Solaris Solaris10" to show when configuring clients
into a backup policy, the following command must be executed:
/usr/openv/netbackup/bin/goodies/new_clients
===========================
III. UNINSTALL INSTRUCTIONS
===========================
Note: This will ONLY uninstall the Maintenance Pack from your local machine.
1) Close the NetBackup user interfaces.
Make sure the NetBackup server has no active jobs running (for
example, backups, restores, or duplications).
If a database agent is being used, such as Oracle,
ensure that the database services are stopped.
2) Change directory to the pack save directory.
Substitute the pack name for $PACK in the following command:
cd /usr/openv/pack/$PACK/save
3) Run the un-install script:
./Vrts_pack.uninstall
4) Verify that the pack uninstalled successfully by checking
/usr/openv/pack/pack.history.
5) If update_clients was run after the pack was originally INSTALLED,
run it again after that pack is successfully UNINSTALLED.
6) If necessary, restart the NetBackup and Media Manager daemons:
/usr/openv/netbackup/bin/goodies/netbackup start
=================================
IV. DESCRIPTION OF PROBLEMS FIXED
=================================
The following are descriptions of the problems fixed. Please read the
entire document before installing.
A vulnerability has been confirmed in the NetBackup Volume Manager
daemon. Please refer to the Current Pack section for more information.
README Conventions:
Description
Describes a particular problem or feature contained in this Maintenance
Pack.
** Description **
Describes a problem that can lead to potential data loss. Please
read these problem descriptions carefully.
Workaround
Any available workarounds to a problem are also listed. Workarounds
can be used INSTEAD of applying the patch, however, Symantec strongly
recommends the "best practice" of being at the latest patch level.
Additional Notes
Any additional information regarding this problem or feature is included.
=============
Current pack
=============
================================================================================
Etrack Incident = ET429810 ET494465 ET498549
Description:
A vulnerability has been confirmed in the NetBackup Volume Manager
daemon (vmd). By sending a specially crafted packet to the Volume Manager,
a stack overflow occurs. This is caused by improper bounds checking.
Exploitation does not require authentication, thereby allowing a remote
attacker to take over the system or disrupt the backup capabilities.
Further testing and code inspection has revealed that all other
NetBackup 5.1 daemons are potentially affected in the same manner.
Therefore, any Master Servers, Media Servers, Clients and Console machines
at this version level are subject to this vulnerability. However,
NetBackup 5.1 database agents are not affected by this issue.
Refer to the Related Document section for more details.
================================================================================
==============
NB_50_5S1320_M
==============
Etrack Incident = ET427044
Description:
A change has been made to avert a potential vulnerability in a Java
authentication service that runs on VERITAS NetBackup servers and clients.
This change prohibits remote attackers from executing arbitrary code on a
targeted system. In addition, Symantec recommends that users block the
affected ports from external network access.
(NetBackup Servers and Clients)
================================================================================
Attachments
|
|
Related Articles
Legacy ID
280864
Article URL http://www.symantec.com/docs/TECH45510
Terms of use for this information are found in Legal Notices
Thank you.