-
- Veeam Software
- Posts: 219
- Liked: 111 times
- Joined: Jun 29, 2015 9:21 am
- Full Name: Michael Paul
- Contact:
Log4j/CVE-2021-44228 vulnerability?
Hi,
Can Veeam issue a statement if any of their products (thinking AWS/Azure/GCP most likely) are vulnerable to Log4j/CVE-2021-44228?
I’m assuming if they are a normal security patch is all that’ll be required for Apache but would be good for a clear statement!
Thanks,
Michael
Can Veeam issue a statement if any of their products (thinking AWS/Azure/GCP most likely) are vulnerable to Log4j/CVE-2021-44228?
I’m assuming if they are a normal security patch is all that’ll be required for Apache but would be good for a clear statement!
Thanks,
Michael
-------------
Michael Paul
Veeam Data Cloud: Microsoft 365 Solution Engineer
Michael Paul
Veeam Data Cloud: Microsoft 365 Solution Engineer
-
- Product Manager
- Posts: 5797
- Liked: 1215 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: Log4j/CVE-2021-44228 vulnerability?
We don’t utilise Apache in any of these products so I don’t think there is an issue. I will ask our security team to check it as well for 100% assurance.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Veeam Software
- Posts: 219
- Liked: 111 times
- Joined: Jun 29, 2015 9:21 am
- Full Name: Michael Paul
- Contact:
Re: Log4j/CVE-2021-44228 vulnerability?
Thanks for the response, I thought I’d best ask as we can’t always see the individual components without going digging.
With the severity of this being so bad and the issue so widespread. A confirmation of “no risk” will be brilliant for all of us that will inevitably be questioned about this on Monday (or already are being questioned)
With the severity of this being so bad and the issue so widespread. A confirmation of “no risk” will be brilliant for all of us that will inevitably be questioned about this on Monday (or already are being questioned)
-------------
Michael Paul
Veeam Data Cloud: Microsoft 365 Solution Engineer
Michael Paul
Veeam Data Cloud: Microsoft 365 Solution Engineer
-
- VP, Product Management
- Posts: 27377
- Liked: 2800 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: Log4j/CVE-2021-44228 vulnerability?
We don't use Apache in our Veeam Backup for Azure/AWS/GCP products family.micoolpaul wrote:A confirmation of “no risk” will be brilliant for all of us that will inevitably be questioned about this on Monday (or already are being questioned)
-
- Enthusiast
- Posts: 99
- Liked: 12 times
- Joined: Jul 23, 2012 3:48 pm
- Contact:
Veeam for AWS & the log4j exploit?
Are there any updates regarding the Veeam for AWS software and the log4j exploit that has been rocking the 'Net the past day or so? The https access for our Veeam instance is locked down via EC2 security groups to only allow https from our company's IP addresses. But I'd like to hear from Veeam if it affected and if it is running the log4j software package.
Thanks.
Thanks.
-
- Product Manager
- Posts: 9848
- Liked: 2607 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
[MERGED] Re: Veeam for AWS & the log4j exploit?
Hi nmace
Michael was already asking for all products.
Veeam does not use this software in his products.
Read more about it here
Michael was already asking for all products.
Veeam does not use this software in his products.
Read more about it here
Product Management Analyst @ Veeam Software
-
- Novice
- Posts: 3
- Liked: never
- Joined: Aug 07, 2019 6:40 pm
- Contact:
Re: Log4j/CVE-2021-44228 vulnerability?
Just to be sure.. This vulnerability is not apache (the webserver) related, it's related the java logging library log4j2 witch is part of the apache foundation.
-
- Veeam Software
- Posts: 219
- Liked: 111 times
- Joined: Jun 29, 2015 9:21 am
- Full Name: Michael Paul
- Contact:
Re: Log4j/CVE-2021-44228 vulnerability?
Hi Sbou,
Correct. Apache have a set of logging services of which Log4j is part of. I wanted to ask the question as you never know what dependencies a product has so thought best to ask and check!
Correct. Apache have a set of logging services of which Log4j is part of. I wanted to ask the question as you never know what dependencies a product has so thought best to ask and check!
-------------
Michael Paul
Veeam Data Cloud: Microsoft 365 Solution Engineer
Michael Paul
Veeam Data Cloud: Microsoft 365 Solution Engineer
-
- Certified Trainer
- Posts: 1025
- Liked: 448 times
- Joined: Jul 23, 2012 8:16 am
- Full Name: Preben Berg
- Contact:
Log4shell - CVE-2021-21985
Hi all,
Gostev already speculated on this in the weekly digest, and I totally agree that it is unlikely that there are any traces of log4j in Veeam components. However, I wanted to start this thread to track the development of the official statement from the Veeam team. I know our customers would like a final statement for sure
Gostev already speculated on this in the weekly digest, and I totally agree that it is unlikely that there are any traces of log4j in Veeam components. However, I wanted to start this thread to track the development of the official statement from the Veeam team. I know our customers would like a final statement for sure
Could you please let us know when this final confirmation is available?Gostev in the Digest wrote: As for Veeam products, while I still need to get the official confirmation from our security team, it's unlikely we're affected because as far as I know we don't use Java in principle. Plus, as it comes to web servers, we're married to Microsoft IIS for our Windows-based apps (VBR/ONE/VSPC) and to nginx for Linux-based (Veeam Backup for AWS/Azure/GCP). The only place I'm aware that uses some Apache components is our SureBackup helper appliance, but that one certainly should not have any traces of Java.
-
- Product Manager
- Posts: 9848
- Liked: 2607 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Log4shell - CVE-2021-21985
Hi Prepen
There are already 2 or 3 topics about this in the forums, some of them with statements from veeam.
EDIT Moderator: all links were merged into this thread
Thanks again for the architect training last week. It was really good
There are already 2 or 3 topics about this in the forums, some of them with statements from veeam.
EDIT Moderator: all links were merged into this thread
Thanks again for the architect training last week. It was really good
Product Management Analyst @ Veeam Software
-
- Certified Trainer
- Posts: 1025
- Liked: 448 times
- Joined: Jul 23, 2012 8:16 am
- Full Name: Preben Berg
- Contact:
Re: Log4shell - CVE-2021-21985
Thanks Fabian
While I was aware of the thread regarding Backup to Azure, I posted this thread on the general VBR section (which I actually thought was a global thread that listed all questions from all sub-sections as well).
Sorry for the duplicate. I'll let Veeam decide which thread becomes the master, since they're all specific to separate products, while this question spans across their entire portfolio.
While I was aware of the thread regarding Backup to Azure, I posted this thread on the general VBR section (which I actually thought was a global thread that listed all questions from all sub-sections as well).
Sorry for the duplicate. I'll let Veeam decide which thread becomes the master, since they're all specific to separate products, while this question spans across their entire portfolio.
-
- Product Manager
- Posts: 14840
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Log4shell - CVE-2021-21985
I threw everything together
Log4j is not used according to this list of used open source software https://www.veeam.com/eula-oss.html (which makes sense, we don't use Java)
Yes, some products are missing on that list and we will update that.
And yes, we will also confirm again after final statement from the security team.
Log4j is not used according to this list of used open source software https://www.veeam.com/eula-oss.html (which makes sense, we don't use Java)
Yes, some products are missing on that list and we will update that.
And yes, we will also confirm again after final statement from the security team.
-
- Influencer
- Posts: 22
- Liked: 2 times
- Joined: May 06, 2021 1:45 pm
- Contact:
Re: Log4shell - CVE-2021-21985
All those posts are pulled. 'Does not exist'.Mildur wrote: ↑Dec 13, 2021 10:16 am Hi Prepen
There are already 2 or 3 topics about this in the forums, some of them with statements from veeam.
Log4j/CVE-2021-44228 for VBR
Veeam for AWS & the log4j exploit?
Log4j/CVE-2021-44228 vulnerability?
Thanks again for the architect training last week. It was really good
The one I personally wonder about is the Agent for Linux.
I have a 'snapshot' folder with a log4j version in it, but I do not have the linux knowledge to say if this is default linux, some user or application or a Veeam component issue.
-
- Product Manager
- Posts: 14840
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Log4shell - CVE-2021-21985
yes, I moved one of the topics into this thread (links can break then). the other topics was from one of our employees, so I moved it to the "employee section" of the forums
from my point of view, the answer is already given for the Linux agent in the list I mentioned above
but yes, let's wait for final confirmation please.
from my point of view, the answer is already given for the Linux agent in the list I mentioned above
but yes, let's wait for final confirmation please.
-
- Product Manager
- Posts: 5797
- Liked: 1215 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: Log4shell - CVE-2021-21985
Veeam Agent for Linux does not use log4j / apache / java and therefore the folder you see is most likely some user application.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Influencer
- Posts: 22
- Liked: 2 times
- Joined: May 06, 2021 1:45 pm
- Contact:
Re: Log4shell - CVE-2021-21985
Ah thanks, that's nice.HannesK wrote: ↑Dec 13, 2021 10:58 am yes, I moved one of the topics into this thread (links can break then). the other topics was from one of our employees, so I moved it to the "employee section" of the forums
from my point of view, the answer is already given for the Linux agent in the list I mentioned above
but yes, let's wait for final confirmation please.
It's quite the big thing in our country at government level atm.
Thanks for the confirmation!nielsengelen wrote: ↑Dec 13, 2021 10:59 am Veeam Agent for Linux does not use log4j / apache / java and therefore the folder you see is most likely some user application.
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Log4shell - CVE-2021-21985
I received the confirmation from our security team that no Veeam products use log4j. Because just as I thought, we don't use Java in principle.poulpreben wrote: ↑Dec 13, 2021 10:12 amGostev already speculated on this in the weekly digest, and I totally agree that it is unlikely that there are any traces of log4j in Veeam components. However, I wanted to start this thread to track the development of the official statement from the Veeam team. I know our customers would like a final statement for sure
Could you please let us know when this final confirmation is available?
-
- Veeam Software
- Posts: 219
- Liked: 111 times
- Joined: Jun 29, 2015 9:21 am
- Full Name: Michael Paul
- Contact:
Re: Log4shell - CVE-2021-21985
Thanks everyone from Veeam on the swift response to this, especially over the weekend.
-------------
Michael Paul
Veeam Data Cloud: Microsoft 365 Solution Engineer
Michael Paul
Veeam Data Cloud: Microsoft 365 Solution Engineer
-
- Product Manager
- Posts: 14840
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Log4shell - CVE-2021-21985
for those who need an "official" document... we created a KB article that states that none of our products is vulnerable to that issue: https://www.veeam.com/kb4254
-
- Veeam Vanguard
- Posts: 19
- Liked: 7 times
- Joined: Sep 20, 2019 10:14 pm
- Full Name: Greg Barney
- Contact:
Re: Log4shell - CVE-2021-21985
Want to also extend thanks for the quick responses here from Veeam. Certainly made my job a lot easier when we had our internal briefing surrounding what products were impacted and what needed remediation.
-
- Enthusiast
- Posts: 86
- Liked: 15 times
- Joined: May 22, 2015 1:41 pm
- Full Name: Alan Shearer
- Contact:
Re: Log4shell - CVE-2021-21985
The Veeam Proxy for AHV is clear too?
-
- Product Manager
- Posts: 5797
- Liked: 1215 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: Log4shell - CVE-2021-21985
Yes, all products are clear.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Influencer
- Posts: 22
- Liked: 2 times
- Joined: May 06, 2021 1:45 pm
- Contact:
Re: Log4shell - CVE-2021-21985
Thanks! We do 'need' it.HannesK wrote: ↑Dec 13, 2021 4:17 pm for those who need an "official" document... we created a KB article that states that none of our products is vulnerable to that issue: https://www.veeam.com/kb4254
-
- Service Provider
- Posts: 84
- Liked: 13 times
- Joined: Nov 11, 2015 3:50 pm
- Location: Canada
- Contact:
Re: Log4shell - CVE-2021-21985
Hi,
Our security staff is urging my team to resolve the following matter before EoD, most of our Windows Veeam servers have these installed:
C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar
Not 100% sure but it looks to be from the default SQL Express package embedded from the Veeam installer.
What's your take on this?
Thanks
Our security staff is urging my team to resolve the following matter before EoD, most of our Windows Veeam servers have these installed:
C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar
Not 100% sure but it looks to be from the default SQL Express package embedded from the Veeam installer.
What's your take on this?
Thanks
-
- Product Manager
- Posts: 14840
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Log4shell - CVE-2021-21985
Hello,
not from our software. That path does not exist on my backup servers.
Best regards,
Hannes
not from our software. That path does not exist on my backup servers.
Best regards,
Hannes
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Log4shell - CVE-2021-21985
1.2.17 seems to be outside of affected versions though? Although honestly, this version is so old and so out of support that it probably has a bunch of other severe vulnerabilities anyway
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Log4shell - CVE-2021-21985
Anyway I got curious what it is, and it looks to be a part of Data Transformation Services for importing/exporting database data from/to all sorts of external data sources, some of which require Java to interact with perhaps... so make sense.
See https://en.wikipedia.org/wiki/Data_Tran ... n_Services
See https://en.wikipedia.org/wiki/Data_Tran ... n_Services
-
- Service Provider
- Posts: 84
- Liked: 13 times
- Joined: Nov 11, 2015 3:50 pm
- Location: Canada
- Contact:
-
- Veeam Software
- Posts: 219
- Liked: 111 times
- Joined: Jun 29, 2015 9:21 am
- Full Name: Michael Paul
- Contact:
Re: Log4shell - CVE-2021-21985
Ctek, at least you know patching that won’t break Veeam then, as to anything else sharing the same SQL server…
-------------
Michael Paul
Veeam Data Cloud: Microsoft 365 Solution Engineer
Michael Paul
Veeam Data Cloud: Microsoft 365 Solution Engineer
-
- Service Provider
- Posts: 84
- Liked: 13 times
- Joined: Nov 11, 2015 3:50 pm
- Location: Canada
- Contact:
Re: Log4shell - CVE-2021-21985
Stubborn Infrastructure specialist I am, I did some lab time at home, 8hrs later I got it....Ctek wrote: ↑Dec 14, 2021 4:33 pm Hi,
Our security staff is urging my team to resolve the following matter before EoD, most of our Windows Veeam servers have these installed:
C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar
Not 100% sure but it looks to be from the default SQL Express package embedded from the Veeam installer.
What's your take on this?
Thanks
If you upgrade the default v9.5-v11 2012 or 2014 SQL Express instance of Veeam to a 2019 SQL Express instance, with default settings, there you have it ("C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars\log4j-1.2.17.jar")
Still some details to figure out, but the raw in-progress details are there.
D.
VMCE
Who is online
Users browsing this forum: Bing [Bot] and 129 guests