CVE-2022-36989: 
Veritas NetBackup Client vulnerability analysis and mitigation

An issue was discovered in Veritas NetBackup 8.1.x through 8.1.2, 8.2, 8.3.x through 8.3.0.2, 9.x through 9.0.0.1, and 9.1.x through 9.1.0.1 that allows remote command execution. The vulnerability was disclosed on July 28, 2022, and affects multiple versions of Veritas NetBackup and related products including NetBackup Appliance, Flex Appliance, and Flex Scale (Veritas Advisory).

The vulnerability (CVE-2022-36989) is classified as a high-severity issue with a CVSS v3.1 Base Score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability requires low attack complexity and privileged access, with no user interaction needed. The scope is unchanged, but the impact on confidentiality, integrity, and availability is rated as high (NVD).

If successfully exploited, an attacker with authenticated access to a NetBackup Client could remotely execute arbitrary commands on a NetBackup Primary server. This could lead to complete compromise of the system's confidentiality, integrity, and availability (Veritas Advisory).

Veritas has released HotFixes for affected versions including NetBackup 8.1.2, 8.2, 8.3.0.1, 8.3.0.2, 9.0.0.1, and 9.1.0.1. Users are advised to apply the HotFix to both Primary servers and Media servers. For versions prior to 8.1.2, users should upgrade to a newer version and apply the corresponding NetBackup HotFix (Veritas Advisory).