NEWS Veritas issued on Wednesday a patch for a security flaw in its Java authentication service running on NetBackup servers and clients.
The vulnerability in question could let malicious attackers gain remote access to information stored on backup servers.
For Veritas, owned by security-software giant Symantec, this latest flaw in its backup software is the third occurrence in less than four months. In this most recent case, however, the vulnerability not only affects the server but also users' clients, said Johannes Ullrich, chief research officer for the SANS Institute.
NetBackup 4.5, 5.0, 5.1 and 6.0, running on all platforms and all versions, are affected by the vulnerability, according to a posting on Veritas' support site.
A malicious attacker could remotely exploit a flaw in the Java authentication service, bpjava-msvc, running on NetBackup servers and clients. The attacker could potentially then execute code.
Ullrich said: "The problem with this vulnerability is it's not only running on all the desktops but, even worse, if a malicious hacker gets into the backup server, they have access to all your backup information."
Though no exploit code has been found, hackers are laying the groundwork needed to take advantage of the flaw once exploit code is available, Ullrich noted. Hackers are scanning far more computer systems to ascertain if the systems are vulnerable.
He added that users, especially those who experienced a fallout several months ago from the earlier Veritas vulnerability, are likely to patch the most recent flaw quickly.
Ullrich said: "A few months ago, there was a similar [Veritas] backup problem that was widespread and caused a lot of headaches. People who didn't patch quickly last time will do it much faster this time."
Dawn Kawamoto writes for CNET News.com
