Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Is there a upgrade for the Deduplication Agent.

Created: 21 Oct 2013 • Updated: 24 Oct 2013 | 6 comments
This issue has been solved. See solution.

Hello,

I was doing some security checks on my server and found out that the Symantec Deduplication Agent is using a old version of the OpenSSL. Is there a patch I can apply?

Info
package used on Solaris 10 for the Deduplication Agent - SYMCpddea - Version - 7.0.0.0
Netbackup master server - Solaris 10 - 7.5.0.4
Netbackup Media server -Solaris 10 - 7.5.0.4
Netbackup clients - Solaris 10 - 7.5.0.4

Symantec has a way to fix Java security issues by redirecting the Java to the system Java. http://www.symantec.com/business/support/index?pag...

Is there a work around like this for OpenSSL as well?

Thanks.

Operating Systems:

Comments 6 CommentsJump to latest comment

Nicolai's picture

The only patch as such is a newer version of Netbackup software. NBU 7.5.0.6 is on the street  - But I don't know if Symantec has upgraded OpenSSL.

A openssl vulnerability as reported for NBU 7.0.1 to 7.1 see  http://www.symantec.com/docs/TECH159456

Assumption is the mother of all mess ups.

If this post answered your'e qustion -  Please mark as a soloution.

cyberninja's picture

Nice info. I don't think I can just remove the PDDE/OpenSSL. I will have to check to see if we are using dedupe on the client side.

I didn't use a scanner I used the find command.

find / -name openssl -type 2>/dev/null
<result> version -a

PeteWall's picture

Unlike Java, it's not as simple as using the system OpenSSL libraries rather than the ones in the NetBackup package.

The version of OpenSSL used by Dedupe was updated in the NetBackup 7.5.0.6 patch release.  That is the best course of action in this case.

cyberninja's picture

Before I recommend that we upgrade. I need to know if the ugrade will fix the issue.

The security people say I need one of the following: 0.9.8y, 1.0.0k or 1.0.1e.

The netbackup version is 0.9.8.r. Does the upgrade get me to the level I need?

CRZ's picture

The 7.5.0.6 Release Notes mention that 0.9.8.y is included.  Check out page 67:

NetBackup 7.5.0.6 Release Notes
 http://symantec.com/docs/DOC6396

As well, 7.6 should definitely contain one of the versions you mention above.


bit.ly/76LBN | APPLBN | 75LBN

SOLUTION
cyberninja's picture

The update fixes the issue. It updates OpenSSL to version 0.9.8.y.