ssleay32.dll 0.9.8t security vulnerability

[s2dt]

Hi folks,

our vulnerability scan returns an old openssl library in up2date v12 P20230718.

We found C:\Program Files (x86)\Veeam\Backup Transport\x64\vix\ssleay32.dll within version 0.9.8t on all several Veeam Server, even on Agents or Proxy Server.
This release contains several know security issues:
CVE-2016-0703
CVE-2016-0704
CVE-2015-3195
CVE-2015-1792
and much more (https://www.openssl.org/news/vulnerabilities-0.9.8.html)

Newest release of openssl 0.9.8 is 0.9.8zh (https://abi-laboratory.pro/?view=timeline&l=openssl).

I already opened a case (#07027256). Support ignore these information and returns, there is no vulnerabilite known within this library.
In fact, this library seems to be included in VMWARE VDDK Library for using VIX. I already opened a case bei VMware regarding the library, but they ask me to open an SDK-Case, but as we are no development-partner, we are not entitlent to open an VMware SDK case.

Anyone able to confirm this old library in Veeam Directory? Maybe someone else has more luck by creating a veeam case regarding known security issues in their software.

Have a great Day, Sven

[Gostev]

Hi, if it's a part of VMware VDDK then there's no point in creating Veeam cases. We will update VDDK in our products once VMware ships an updated version, as a part of our standard process of maintaining 3rd party components up to date. Thanks

[s2dt]

Hi Gostev,

thank you. Since this software is bundled an distributed by Veeam, I really hope there is an interesst to close known vulnerabilities. Maybe Veeam is able to address this to VMware as a Technology Partner. I'll keep you updated regarding the open case.

Greets, Sven