Everyone should do better than Veritas who's fixing seven year old vulnerability by deleting the program
Take action: The customers of Veritas will rightly ask why would they pay for maintenance of Veritas software if the security update that's seven years old and amounts to "shift-delete of adapter.exe" and stop of data collection schedule?
Learn More
Veritas has released a security alert about multiple ulnerabilities in Infinidat Data Collectors used by Veritas NetBackup IT Analytics. Unfortunately this is the first and last serious fact in this report, since Veritas and Infinidat are 7 years late to the security party, and still don't know how to dance.
Here's the juicy truth behind Veritas' grand revelation:
Veritas reports that vulnerable versions are NetBackup IT Analytics 11.0, 11.1, 11. as well as earlier unsupported versions of APTARE IT Analytics may be affected as well.
The key vulnerability in their alert is something that both they and Infinidat been casually ignoring is CVE-2016-0799 (an OpenSSL vulnerability with a CVSS Score 9.8), a relic from the ancient year of 2016! How nostalgic!
This gem of a vulnerability is found in the adapter/adapter.exe binaries that Veritas oh-so-trustingly used to collect data from Infinidat storage products.
For everyone that's still a bit confused: Veritas bought APTARE and it's product It Analytics in 2019. Both APTARE and then Veritas have been sitting on a security flaw in third party code for over 7 years, conveniently distributed in the APTARE/Veritas NetBackup IT Analytics an essential component of their data collection process. Finally, Veritas are issuing an Advisory and releasing a patch. Which will fix the problem by, wait for it, deleting the Infinidat binaries and stopping collection from Infinidat sources!
The customers of Veritas will rightly ask why would they pay for maintenance of Veritas software if the security update amounts to "shift-delete of adapter.exe" and stop of data collection schedule?
But, hold on! Let's give credit where it's due. The star of this security circus is Infinidat, the third party that has graciously gifted Veritas with this vintage vulnerability. And Infinidat never seems to have gotten around to recompile their agent to a non-vulnerable version of openssl.
It seems that Infinidat decided that the vulnerable OpenSSL in their agent is not exploitable. Which would be fine if they were on the same page with Veritas. From the "fix" that Veritas is providing we can see that Infinidat still has no interest
So what shook Veritas out of their security slumber about the Infinidat agent? It's anyone's guess - but we'll put our money on a third party code audit and compliance report. Now let's hope Veritas will embrace the magic of timely security reviews and updates.
