Hello,
after upgrade of our computers, FortiClient reports this issues on OpenSSL inside Veeam Agent.
OpenSSL AES-XTS cipher decryption Denial of Service Vulnerability
C:\Program Files\Common Files\Veeam\OpenSSL3\Win32\openssl.exe
C:\Program Files\Common Files\Veeam\OpenSSL3\x64\openssl.exe
OpenSSL CVE-2023-2975 Authentication Bypass Vulnerability
C:\Program Files\Common Files\Veeam\OpenSSL3\Win32\openssl.exe
C:\Program Files\Common Files\Veeam\OpenSSL3\x64\openssl.exe
OpenSSL CVE-2023-3817 Denial of Service Vulnerability
C:\Program Files\Common Files\Veeam\OpenSSL3\Win32\openssl.exe
C:\Program Files\Common Files\Veeam\OpenSSL3\x64\openssl.exe
etc. 12 total for OpenSSL 3.0.8.
Is there any plan to upgrade OpenSSL inside Agent? Current version 13.0.1.120
-
hasoft
- Novice
- Posts: 9
- Liked: 1 time
- Joined: Sep 29, 2018 10:19 am
- Full Name: Zdenek Vasku
- Contact:
-
Gostev
- Chief Product Officer
- Posts: 33049
- Liked: 8115 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam Agent OpenSSL vulnerabilities
Please note that we're using FIPS-certified versions of OpenSSL only, so it's not a simple "upgrade to the latest OpenSSL version" for us, we need to wait for a later version to get certified first.
-
daysoftit
- Lurker
- Posts: 1
- Liked: never
- Joined: Dec 18, 2025 1:36 pm
- Full Name: Alastair Cupples
- Contact:
Re: Veeam Agent OpenSSL vulnerabilities
Hi, is there any update on this please. It looks like OpenSSL 3.1.2 was FIPS-certified back in March?.
-
Gostev
- Chief Product Officer
- Posts: 33049
- Liked: 8115 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam Agent OpenSSL vulnerabilities
We're using 3.0 not 3.1 so certifications for the latter don't matter. OpenSSL does not have a transparent order of certification for different minor releases, probably because they cannot control it due to external dependencies.
More importantly, I since found that OpenSSL these days contains two parts:
1/ FIPS module: we use version 3.0.8
2/ No-FIPS module which hosts majority of the logic: we use one of its latest versions in V13
Most CVE do NOT impact the FIPS module, you will see notes in them about this such as this below:
"The FIPS provider is not affected as the AES-SIV algorithm is not FIPS approved and FIPS provider does not implement it."
Your security scanner is likely not advanced enough to do CVE-specific analysis and flags the mere presence of OpenSSL 3.0.8 module.
If you want to review a particular CVE, you can contact submit the list of CVEs to our security team and they will comment on each one.
More importantly, I since found that OpenSSL these days contains two parts:
1/ FIPS module: we use version 3.0.8
2/ No-FIPS module which hosts majority of the logic: we use one of its latest versions in V13
Most CVE do NOT impact the FIPS module, you will see notes in them about this such as this below:
"The FIPS provider is not affected as the AES-SIV algorithm is not FIPS approved and FIPS provider does not implement it."
Your security scanner is likely not advanced enough to do CVE-specific analysis and flags the mere presence of OpenSSL 3.0.8 module.
If you want to review a particular CVE, you can contact submit the list of CVEs to our security team and they will comment on each one.
-
dreamteam
- Influencer
- Posts: 19
- Liked: 5 times
- Joined: Feb 22, 2017 9:12 am
- Contact:
Re: Veeam Agent OpenSSL vulnerabilities
OpenSSL is a new dependency for Veeam Agent for Windows v13, what's the package used for? (That wasn't needed before?)
Just curious. Thanks for a great product!
Just curious. Thanks for a great product!
-
Gostev
- Chief Product Officer
- Posts: 33049
- Liked: 8115 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam Agent OpenSSL vulnerabilities
For encrypted network connections for example.
Who is online
Users browsing this forum: Bing [Bot] and 6 guests