Spring Framework Vulnerability (CVE-2022-22965) in Veritas Products

Revision History

1.0: April 01, 2022: Initial version
2.0: April 08, 2022: Added Access BYOS and InfoScale VEA as not vulnerable
3.0: April 22, 2022: Added Multiple Appliance Products with Remediation recommendations
4.0: July 20, 2022: Added CVE-2022-22965 ID

Summary

The Spring Framework Remote Code Execution vulnerability via Data Binding on JDK 9+ (CVE-2022-22965) has been identified in multiple Veritas Appliance Products. The following Veritas products are impacted:

Product	Vulnerable Versions	Fixed Versions	CVE ID	Remediation
Access Appliance	7.4.3/7.4.3.100/7.4.3.200	7.4.3.300	CVE-2022-22965	Article 100052919
Flex Appliance	1.3.x, 2.0, 2.0.1, 2.0.2, 2.1	2.0.2 w/ Hotfix 2.1 w/ Hotfix	CVE-2022-22965	Article 100052862
NetBackup Appliance/ NetBackup Virtual Appliance	4.0/4.0.0.1 MR1/4.0.0.1 MR2 4.0.0.1 MR3 4.1/4.1.0.1 MR1 4.1.0.1 MR2	4.0.0.1 MR3 w/ Hotfix 4.1.0.1 MR2 w/ Hotfix 5.0	CVE-2022-22965	Article 100052910
NetBackup Flex Scale Appliance	2.1, 3.0	2.1 Hotfix 3.0 Hotfix	CVE-2022-22965	Article 100052911

Issue

The above Veritas products include Spring Framework applications running on java JDK 9 and may be vulnerable to remote code execution (RCE) via data binding.

Severity: Critical
CVSS v3.1 Base Score 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

The Spring Framework vulnerability is due to Improper Neutralization of Special Elements used in an OS Command (CWE-78) which allows an attacker to load an arbitrary malicious class, resulting in a possible malicious code execution on the server.

Remediation

Customers under a current maintenance/support contract should update to one of the Fixed Versions identified in the table above.

Non-Impacted Veritas Products

The following Veritas products include the Spring Framework, however, based on the information that is currently available, these Veritas products to not appear to be exploitable by this vulnerability. Veritas will update this communication if there are any changes in this respect.

Product	Vulnerable	Comments
Access Appliance 7.4.2.x	No	Does not use JDK >= 9
CloudPoint	No	Does not use JDK >= 9
Data Insight	No	Does not use JDK >= 9
eDiscovery	No	Does not use JDK >= 9
NetBackup	No	Does not use JDK >= 9
NetBackup Appliance 3.x	No	Does not use JDK >= 9
NetBackup Appliance 5.x	No	Uses Spring Framework 5.3.18
NetBackup Virtual Appliance 3.x	No	Does not use JDK >= 9
NetBackup Virtual Appliance 5.x	No	Uses Spring Framework 5.3.18
NetBackup IT Analytics (Previously APTARE)	No	Does not distribute Spring in a WAR file
NetBackup OpCenter	No	Does not use JDK >= 9
Veritas InfoScale Operations Manager (VIOM)	No	Does not use JDK >= 9
Veritas Recovery Platform (VRP)	No	Does not use JDK >= 9

The following Veritas products do not include the Spring Framework, and are not impacted by this vulnerability:

Access BYOS
Appliance Management Server (AMS)
Backup Exec
Desktop Laptop Option
Enterprise Vault
Enterprise Vault.cloud
InfoScale core stack (VCS / VM / FS)
InfoScale Veritas Enterprise Administrator (VEA)
NetBackup Recovery Vault
NetBackup SaaS Protection
Merge1
Quick Assist
Veritas Advanced Supervision
Veritas System Recovery (VSR)

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support)

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054