- 
				mkretzer
- Veeam Legend
- Posts: 1289
- Liked: 464 times
- Joined: Dec 17, 2015 7:17 am
- Contact:
Critical V11 and V12 vunerablility?
Hello,
does anyone here have more info about this: https://www.reddit.com/r/Veeam/comments ... erability/
Is there a workaround other than patch installation?
Markus
			
			
									
						
										
						does anyone here have more info about this: https://www.reddit.com/r/Veeam/comments ... erability/
Is there a workaround other than patch installation?
Markus
- 
				DanielJ
- Service Provider
- Posts: 285
- Liked: 56 times
- Joined: Jun 10, 2019 12:19 pm
- Full Name: Daniel Johansson
- Contact:
Re: Critical V11 and V12 vunerablility?
Can we get some actual information on this? I haven't got any mail. I would expect info such as this to be published here on the forum.
			
			
									
						
										
						- 
				JamesMcG
- Enthusiast
- Posts: 39
- Liked: 8 times
- Joined: Jul 11, 2012 3:39 pm
- Full Name: James McGuinness
- Contact:
Re: Critical V11 and V12 vunerablility?
Why is the patched version (11.0.1.1261) the same as the one I updated to last year as well?
			
			
									
						
										
						- 
				Gostev
- Chief Product Officer
- Posts: 32737
- Liked: 7958 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Critical V11 and V12 vunerablility?
@mkretzer the workaround is documented following the link you posted.
@DanielJ you can read all actual information following the same link. As always, we will update the sticky once the KB articles (with the same exact info as above) are published and link them there. Our GIS team requested email notifications are sent to our customers first before making this information public in a form of KB articles. Make sure you're not unsubscribed from Veeam communications.
@JamesMcG it's not the same, the cumulative patch level is different (you had P2022XXXX, this one is P2023XXXX).
			
			
									
						
										
						@DanielJ you can read all actual information following the same link. As always, we will update the sticky once the KB articles (with the same exact info as above) are published and link them there. Our GIS team requested email notifications are sent to our customers first before making this information public in a form of KB articles. Make sure you're not unsubscribed from Veeam communications.
@JamesMcG it's not the same, the cumulative patch level is different (you had P2022XXXX, this one is P2023XXXX).
- 
				Gostev
- Chief Product Officer
- Posts: 32737
- Liked: 7958 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Critical V11 and V12 vunerablility?
May or not be published depending on severity, whether the PM responsible for the particular product is available or is on vacation, and so on and so forth. Not the purpose of this forum really. I recommend subscribing to the Support KB instead (see at the top of this page), this one is automated and is not dependent on a "human factor"

- 
				DanielJ
- Service Provider
- Posts: 285
- Liked: 56 times
- Joined: Jun 10, 2019 12:19 pm
- Full Name: Daniel Johansson
- Contact:
Re: Critical V11 and V12 vunerablility?
Thanks, but all I can see is a post on Reddit. I'll wait until I can read the updated KB articles.
			
			
									
						
										
						- 
				mkretzer
- Veeam Legend
- Posts: 1289
- Liked: 464 times
- Joined: Dec 17, 2015 7:17 am
- Contact:
- 
				Gostev
- Chief Product Officer
- Posts: 32737
- Liked: 7958 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Critical V11 and V12 vunerablility?
That is correct... which is basically a third of all Veeam installs, so it was worth mentioning as an option.
The support KB articles are now published, and I've updated the sticky ALL VERSIONS topic with them.
			
			
									
						
										
						The support KB articles are now published, and I've updated the sticky ALL VERSIONS topic with them.
- 
				Regnor
- VeeaMVP
- Posts: 1086
- Liked: 342 times
- Joined: Jan 31, 2011 11:17 am
- Full Name: Max
- Contact:
Re: Critical V11 and V12 vunerablility?
@Anton: Do only customers with active contracts get such notifications? I haven't received this one nor another critical issue some time ago, but do get all other general notifications(releases, events,...).
			
			
									
						
										
						- 
				LickABrick
- Enthusiast
- Posts: 67
- Liked: 31 times
- Joined: Dec 23, 2019 7:26 pm
- Full Name: Lick A Brick
- Contact:
Re: Critical V11 and V12 vunerablility?
@Regnor, you can subscribe via: https://www.veeam.com/knowledge-base.html
			
			
									
						
										
						- 
				Regnor
- VeeaMVP
- Posts: 1086
- Liked: 342 times
- Joined: Jan 31, 2011 11:17 am
- Full Name: Max
- Contact:
Re: Critical V11 and V12 vunerablility?
Those are the weekly digests, which I already receive, but I'm referring to the mailing posted in reddit.
			
			
									
						
										
						- 
				LickABrick
- Enthusiast
- Posts: 67
- Liked: 31 times
- Joined: Dec 23, 2019 7:26 pm
- Full Name: Lick A Brick
- Contact:
Re: Critical V11 and V12 vunerablility?
It says: Want to receive a weekly summary of the latest KB updates or immediate notices about Security Advisories?
So it should notify you quite fast. Reddit posts can be edited so I assume they can post those a little earlier.
			
			
									
						
										
						So it should notify you quite fast. Reddit posts can be edited so I assume they can post those a little earlier.
- 
				HYF_JE
- Enthusiast
- Posts: 50
- Liked: 7 times
- Joined: Jan 24, 2023 11:14 pm
- Contact:
Re: Critical V11 and V12 vunerablility?
Disclaimer: Veeam novice.
I'm sure this is the case based on the contents of the KBs but to verify - this vulnerability does NOT affect Veeam ONE and Veeam Backup Enterprise Manager, correct? Only VBR?
			
			
									
						
										
						I'm sure this is the case based on the contents of the KBs but to verify - this vulnerability does NOT affect Veeam ONE and Veeam Backup Enterprise Manager, correct? Only VBR?
- 
				mkaec
- Veteran
- Posts: 483
- Liked: 144 times
- Joined: Jul 16, 2015 1:31 pm
- Full Name: Marc K
- Contact:
Re: Critical V11 and V12 vunerablility?
I've been changing the passwords of the credentials stored in Veeam as a precaution.  There are a few I did not create and cannot remove.  They appear to be default.  I don't remember setting their passwords or giving them to an external system.  If that's the case, are there even any passwords stored that would pose a risk?
Provider-side network extension appliance credentials
Helper appliance credentials
Tenant-side network extension appliance credentials
Azure helper appliance credentials
			
			
									
						
										
						Provider-side network extension appliance credentials
Helper appliance credentials
Tenant-side network extension appliance credentials
Azure helper appliance credentials
- 
				rgmueller
- Enthusiast
- Posts: 28
- Liked: 4 times
- Joined: Dec 21, 2018 4:35 pm
- Contact:
Re: Critical V11 and V12 vunerablility?
What is meant by "remote components"? We have AWS VTLs. I have a local physical VBR server and2 local physical servers that are mainly repository servers. I assume I need to apply this patch?
			
			
									
						
										
						- 
				edh
- Veeam Legend
- Posts: 417
- Liked: 129 times
- Joined: Nov 02, 2020 2:48 pm
- Full Name: Manuel Rios
- Location: Madrid, Spain
- Contact:
[MERGED] Re: V12 Patch P20230223
Can anyone in Veeam work for improve comunication for critical patches?
Not just a post in Reddit before service providers got knowleage.
Maybe a Email notification, as your marketing department do for "selling" features.
I think that is not the way to notify us of a security event through Reddit.
			
			
									
						
							Not just a post in Reddit before service providers got knowleage.
Maybe a Email notification, as your marketing department do for "selling" features.
I think that is not the way to notify us of a security event through Reddit.
Service Provider | VMCE
			
						- 
				Mildur
- Product Manager
- Posts: 10972
- Liked: 3011 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Critical V11 and V12 vunerablility?
@edh 
I moved your comment. Please use this topic and not the other one. The other one was VSPC related.
We will check why you didn‘t have received a mail as others have and give you a feedback.
Thank you.
Fabian
			
			
									
						
							I moved your comment. Please use this topic and not the other one. The other one was VSPC related.
We will check why you didn‘t have received a mail as others have and give you a feedback.
Thank you.
Fabian
Product Management Analyst @ Veeam Software
			
						- 
				DavidCNZ
- Novice
- Posts: 5
- Liked: never
- Joined: Aug 17, 2016 2:38 am
- Contact:
Re: Critical V11 and V12 vunerablility?
Hi,
Considering the criticality of this patch I was surprised to find that when I tried to install it I can't because we don't currently have maintenance. We will have it renewed soon but the company is in the process of part of it transferring to a new owner so things like maintenance tend to be on hold.
Veeam has a long-standing commitment to ensuring our products protect customers from any potential risk.
... but only if you've paid your maintenance. I can understand this if it had been for an old version but for a recently expired v11?
Regards
David
			
			
									
						
										
						Considering the criticality of this patch I was surprised to find that when I tried to install it I can't because we don't currently have maintenance. We will have it renewed soon but the company is in the process of part of it transferring to a new owner so things like maintenance tend to be on hold.
Veeam has a long-standing commitment to ensuring our products protect customers from any potential risk.
... but only if you've paid your maintenance. I can understand this if it had been for an old version but for a recently expired v11?
Regards
David
- 
				Gostev
- Chief Product Officer
- Posts: 32737
- Liked: 7958 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Critical V11 and V12 vunerablility?
The emphasis is on "our customers", which you are currently not. Think of it as if you did not renew your Netflix subscription. This is nothing new really, has been in Veeam EULA for 15 years now:
			
			
									
						
										
						Having said that, depending on your scenario you can potentially use a workaround.5.0 Maintenance and Support [...] Software updates cannot be applied to the Software with an expired Maintenance plan.
- 
				Gostev
- Chief Product Officer
- Posts: 32737
- Liked: 7958 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: [MERGED] Re: V12 Patch P20230223
Email notifications are being sent out, the Reddit post is the very result of those, Due to the sheer size of the Veeam customer base, it will take a few days. They just cannot be done instantly to all 500K+ customers without Veeam getting automatically banned worldwide for spam.
The world of big numbers is really peculiar.
- 
				Gostev
- Chief Product Officer
- Posts: 32737
- Liked: 7958 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Critical V11 and V12 vunerablility?
Yes, you do - since you have your backup repositories on different servers than your backup server.
- 
				Gostev
- Chief Product Officer
- Posts: 32737
- Liked: 7958 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
- 
				BennyDC
- Enthusiast
- Posts: 57
- Liked: 9 times
- Joined: Mar 03, 2017 3:24 pm
- Full Name: Benny De Cock
- Contact:
Re: Critical V11 and V12 vunerablility?
Hi,
is a database backup recommend before running this update?
			
			
									
						
										
						is a database backup recommend before running this update?
- 
				Mildur
- Product Manager
- Posts: 10972
- Liked: 3011 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Critical V11 and V12 vunerablility?
Hi Benny
You should have a daily configuration backup already.
But it's always recommended to create a manual configuration backup before an update.
Best,
Fabian
			
			
									
						
							You should have a daily configuration backup already.
But it's always recommended to create a manual configuration backup before an update.
Best,
Fabian
Product Management Analyst @ Veeam Software
			
						- 
				apolloxm
- Expert
- Posts: 111
- Liked: 11 times
- Joined: Aug 27, 2021 12:29 am
- Contact:
Re: Critical V11 and V12 vunerablility?
we had veeam agent for windows in our environment,if we installed this patch, do we need to reboot veeam agent for windows
? or just reboot veeam vbr server
			
			
									
						
										
						? or just reboot veeam vbr server
- 
				Mildur
- Product Manager
- Posts: 10972
- Liked: 3011 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Critical V11 and V12 vunerablility?
Veeam VBR Server. The patch only updates the VBR server.
There is no new Agent build within the patch.
Best,
Fabian
			
			
									
						
							There is no new Agent build within the patch.
Best,
Fabian
Product Management Analyst @ Veeam Software
			
						- 
				Cragdoo
- Veeam Software
- Posts: 632
- Liked: 251 times
- Joined: Sep 27, 2011 12:17 pm
- Full Name: Craig Dalrymple
- Location: Scotland
- Contact:
Re: Critical V11 and V12 vunerablility?
Just checking the emergency patches are not a breaking release, e.g. customers upgrade before MSPs will still be able to use VCC services?
			
			
									
						
										
						- 
				UnknownUser468
- Lurker
- Posts: 1
- Liked: never
- Joined: Feb 20, 2023 2:26 pm
- Contact:
Re: Critical V11 and V12 vunerablility?
Do I understand correctly that the patch only needs to be installed on the VBR server? On my other proxy and repo server the patch does not need to be installed?
			
			
									
						
										
						- 
				Gostev
- Chief Product Officer
- Posts: 32737
- Liked: 7958 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
- 
				Gostev
- Chief Product Officer
- Posts: 32737
- Liked: 7958 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Critical V11 and V12 vunerablility?
Yes, patches are always installed on a backup server only.UnknownUser468 wrote: ↑Mar 08, 2023 11:06 am Do I understand correctly that the patch only needs to be installed on the VBR server? On my other proxy and repo server the patch does not need to be installed?
As far as the remote components, you will see the answer when going through the patch wizard
 basically, it can trigger their update automatically for you (following the patch installation) or you can do the same manually later in the backup console. Obviously, this only applies to patches that actually update modules of the remote components, and I believe this particular patch is not one of them. [EDIT] Not correct, it needs to patch Windows servers which are acting as mount servers for your repositories (usually they are the same servers as your Windows-based repository servers).
 basically, it can trigger their update automatically for you (following the patch installation) or you can do the same manually later in the backup console. Obviously, this only applies to patches that actually update modules of the remote components, and I believe this particular patch is not one of them. [EDIT] Not correct, it needs to patch Windows servers which are acting as mount servers for your repositories (usually they are the same servers as your Windows-based repository servers).Who is online
Users browsing this forum: Google [Bot] and 47 guests