CVE-2016-7399

Name of the Vulnerable Software and Affected Versions Veritas NetBackup Appliance versions 2.6.0.x through 2.6.0.4 Veritas NetBackup Appliance versions 2.6.1.x through 2.6.1.2 Veritas NetBackup Appliance versions 2.7.x through 2.7.3 Veritas NetBackup Appliance versions 3.0.x

Description The issue is related to the scripts/license.pl script in Veritas NetBackup Appliance, which allows remote attackers to execute arbitrary commands via shell metacharacters in the hostName parameter to the "appliancews/getLicense" endpoint. This is due to a lack of input validation, enabling an attacker to inject shell metacharacters and execute commands remotely.

Recommendations For versions 2.6.0.x through 2.6.0.4, consider disabling the scripts/license.pl script until a patch is available. For versions 2.6.1.x through 2.6.1.2, restrict access to the "appliancews/getLicense" endpoint to minimize the risk of exploitation. For versions 2.7.x through 2.7.3, avoid using the hostName parameter in the affected endpoint until the issue is resolved. For versions 3.0.x, as a temporary workaround, consider restricting the use of the scripts/license.pl script until a fix is provided. At the moment, there is no information about a newer version that contains a fix for this vulnerability.