Standalone backup agents for Linux, Mac, AIX & Solaris workloads on-premises or in the public cloud
Post Reply
ChadC
Novice
Posts: 3
Liked: never
Joined: Nov 18, 2021 7:38 pm
Contact:

Veeam RPM packaged signed with SHA-1 certificate

Post by ChadC »

Case #07195695

We use Red Hat Insights to help us catch performance and security issues on our servers and as I get into it more I have seen this warning only related to Veeam install RPM packages on RHEL servers saying they are signed as SHA-1 and we should ask the vendor to update the signing as a known security issue. This affects RHEL 7 and 8 servers as well. Support requested I also post this here. Is there a contact our Cyber Security team can discuss this with to see about getting this updated?

Code: Select all

The SHA-1 message digest has been deprecated in Red Hat Enterprise Linux (RHEL) 9. The digest produced by SHA-1 is not considered secure because of many documented successful attacks based on finding hash collisions. The RHEL core crypto components no longer create signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 in security-relevant use cases.

The following package installed on this system are signed with SHA-1 algorithm:

veeam-libs
veeam
kmod-veeamsnap
rovshan.pashayev
Veeam Software
Posts: 359
Liked: 72 times
Joined: Jul 03, 2023 12:44 pm
Full Name: Rovshan Pashayev
Location: Czechia
Contact:

Re: Veeam RPM packaged signed with SHA-1 certificate

Post by rovshan.pashayev » 2 people like this post

Hello,

Thank you for bringing up the security concern.
We will look into this matter and assess it.

Also, Veeam agent packages for latest version, RHEL 9, is being signed with SHA-256.
Rovshan Pashayev
Analyst
Veeam Agent for Linux, Mac, AIX & Solaris
ChadC
Novice
Posts: 3
Liked: never
Joined: Nov 18, 2021 7:38 pm
Contact:

Re: Veeam RPM packaged signed with SHA-1 certificate

Post by ChadC »

For some reason RHEL 8 is showing the same thing and RHEL still thinks it is SHA-1. Is there someone I can try to connect with Red Hat to look into this?
rovshan.pashayev
Veeam Software
Posts: 359
Liked: 72 times
Joined: Jul 03, 2023 12:44 pm
Full Name: Rovshan Pashayev
Location: Czechia
Contact:

Re: Veeam RPM packaged signed with SHA-1 certificate

Post by rovshan.pashayev »

Hello ChatC,

Yes, the Veeam package for RHEL8 is signed with a SHA-1 message, as mentioned in the initial post.
We are currently assessing this security concern.
Rovshan Pashayev
Analyst
Veeam Agent for Linux, Mac, AIX & Solaris
Post Reply

Who is online

Users browsing this forum: No registered users and 29 guests