Security Vulnerabilities in Previous Releases

[BackupBytesTim]

I've been realizing some of my issues with Veeam are in one way or another the result of us perpetually using outdated versions of the software, I want to remedy that issue, but need management's approval. For the sake of my trying to convince my management team to allow me to keep the Veeam infrastructure up to date, can someone at Veeam answer this for me:

Are most security vulnerabilities, that are discovered and patched, issues that have been around for a while or things that just got introduced in the latest release?

I want to be able to use "more secure" as an argument for always being on the latest version, but the management team believes that the latest version will have unpatched security vulnerabilities so it's best to stay outdated and only update after a release is at least a few months old so security vulnerabilities have been patched. My assumption is that whatever patches are issued months later were likely vulnerabilities in the outdated release we're on, so staying outdated doesn't actually improve security. But it'd help if someone at Veeam could agree that my assumption is accurate.

[Gostev]

Your view is absolutely correct, vast majority of vulnerabilities have been in the product forever. It's quite uncommon for a new security issue to be introduced, as the only real chance to introduce those is with a major architecture rewrite/update, which don't happen very often.

I believe this is the case with most software out there. For example, all but one critical VMware ESXi vulnerability I remember affected all ESXi versions.

Therefore, you will have best possible secure posture if you:
- Update your current version as soon as possible (ideally within 14 days of security patch availability, before exploits are built), AND
- Do not jump new major releases until they are proven and have received a few maintenance releases (so at least 6-12 months in)
Which is basically what every large enterprise customer of Veeam does.

If you stay on earlier unpatched versions, you're a very easy target for any hacker (even unskilled) because of a very mature tooling available to them to exploit well known vulnerabilities. They can just download and run them against your backup server.

[BackupBytesTim]

That all lines up with what I'd generally advise, although I don't actually consider us to be a "large enterprise".

When you say "major releases" you do mean like VBR 12 or the upcoming VBR 13, correct? Not 12.1 or 12.2?

[Gostev]

Correct, like V13 (change of the first octet in the build number). Minor release is second, maintenance release is third.