This document talks about the vulnerabilities and the mitigation plan for the Veritas Enterprise Administrator (VEA) product.
There are vulnerabilities reported in the following components which VEA is dependent on:
OpenSSL 0.9.6b
OpenSSL 0.9.8k
Vulnerabilities
Following link helps us understand the vulnerabilities: https://www.openssl.org/news/vulnerabilities.html
There are 38 known vulnerabilities in OpenSSL 0.9.6b. There may be others that were found and fixed in later releases of OpenSSL that are not listed as affecting that version because it was considered EOL.
There are 59 known vulnerabilities in OpenSSL 0.9.8k.
Veritas has not performed an analysis of any of these vulnerabilities, however, as VEA only uses SSLv3 for communication we know that any vulnerabilities related to SSLv3 are potentially exploitable. This includes the use of SSLv3 itself as it is considered to be insecure. This means that attackers could possibly perform man-in-the-middle-attacks to destroy data or steal login credentials. As some users use the same credentials on multiple systems the theft of credentials could potentially lead to damage on systems unrelated to Storage Foundations.
Risk Mitigation
Veritas VEA is not enabled on startup.
Veritas believes the vast majority of customers use CLIs to administer their systems and so believes this issue will not affect most users.
Based on the above, Veritas believes the use of CLIs means that customers will not be affected by these vulnerabilities on a default installation/upgrade of the product. However, Customers will be at risk if they manually take steps to enable the software.
Legal Notices
Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and are subject to change. Any future release of the product or planned modifications to product capability, functionality, or feature are subject to ongoing evaluation by Veritas, and may not be implemented and should not be considered firm commitments by Veritas and should not be relied upon in making decisions.
Veritas does not and will not guarantee that the software is free of defects or bugs and no warranty of completeness or accuracy is being provided with the above information.
VERITAS
Why Register?
Get notifications about ASLs/APMs, HCLs, patches, and high availability agents
As a registered user, you can create notifications to receive updates about NetBackup Future Platform and Feature Plans, NetBackup hot fixes/EEBs in released versions, Array Support Libraries (ASLs)/Array Policy Modules (APMs), hardware compatibility lists (HCLs), patches and high availability agents. In addition, you can create system-specific notifications customized to your environment.
Compare configurations
The Compare Configurations feature lets you compare different system scans by the data collector. When you sign in, you can choose a target system, compare reports run at different times, and easily see how the system's configuration has changed.
Save configurations
After logging in, you can retrieve past reports, share reports with colleagues, review notifications you received, and retain custom settings. Anonymous users cannot access these features.
Bulk uploader
As a registered user,you can upload multiple reports, using the Bulk Uploader.