CVE-2022-36990: 
Veritas NetBackup Client vulnerability analysis and mitigation

CVE-2022-36990 is a critical security vulnerability discovered in Veritas NetBackup affecting versions 8.1.x through 8.1.2, 8.2, 8.3.x through 8.3.0.2, and other versions. The vulnerability was disclosed on July 27, 2022, and allows an attacker with authenticated access to a NetBackup Client to remotely write arbitrary files to arbitrary locations from any Client to any other Client via a Primary server. This vulnerability requires VxSS to be enabled on both the NetBackup Primary server and the attacker-controlled NetBackup client (Veritas Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H), indicating its critical severity. The technical assessment shows that the vulnerability requires low attack complexity and low privileges, with no user interaction needed. The scope is changed, and while there is no impact on confidentiality, both integrity and availability impacts are high (Veritas Advisory).

If exploited, this vulnerability allows attackers to write arbitrary files to arbitrary locations between NetBackup Clients, potentially leading to severe system compromise. The high impact on both integrity and availability suggests that successful exploitation could result in significant system disruption and potential data manipulation (Veritas Advisory).

Veritas has released HotFixes for affected versions including NetBackup 8.1.2, 8.2, 8.3.0.1, 8.3.0.2, 9.0.0.1, and 9.1.0.1. Users of pre-8.1.2 versions are advised to upgrade to a newer version and apply the appropriate NetBackup HotFix. The fix needs to be applied to Primary servers as well as all Media servers for complete protection (Veritas Advisory).