Agentless, cloud-native backup for Microsoft Azure
Post Reply
b.vanhaastrecht
Service Provider
Posts: 880
Liked: 164 times
Joined: Aug 26, 2013 7:46 am
Full Name: Bastiaan van Haastrecht
Location: The Netherlands
Contact:

VBA appliance vulnerable for multiple CVE's

Post by b.vanhaastrecht »

Hello,

Our vulnerability scanner detects multiple issues with the VBA appliance nginx service. Could you please investigate.
CVE-2021-23017
CVE-2018-16843
CVE-2019-9511
CVE-2019-9513
CVE-2018-16844

Kind regards,
Bastiaan
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
nielsengelen
Product Manager
Posts: 5797
Liked: 1215 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: VBA appliance vulnerable for multiple CVE's

Post by nielsengelen »

Hi Bastiaan,

We are not immediately aware of any open issues as we perform regular checks as well. We’ll look into the ones listed.

Could you let us know which version u tested 2 or 2a (build number)?
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
b.vanhaastrecht
Service Provider
Posts: 880
Liked: 164 times
Joined: Aug 26, 2013 7:46 am
Full Name: Bastiaan van Haastrecht
Location: The Netherlands
Contact:

Re: VBA appliance vulnerable for multiple CVE's

Post by b.vanhaastrecht »

Hi Niels,

I'm on 2.0.0.337, I do have updates availeble and will process them now and retest afterwords.
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
b.vanhaastrecht
Service Provider
Posts: 880
Liked: 164 times
Joined: Aug 26, 2013 7:46 am
Full Name: Bastiaan van Haastrecht
Location: The Netherlands
Contact:

Re: VBA appliance vulnerable for multiple CVE's

Post by b.vanhaastrecht »

I've run the updates, but still on 2.0.0.337.

Run a new scan and the same CVE's are still active.
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
nielsengelen
Product Manager
Posts: 5797
Liked: 1215 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: VBA appliance vulnerable for multiple CVE's

Post by nielsengelen »

Hi Bastiaan,

Did u also install all the other related security updates via our updater UI? We have just verified this and if you install all the updates accordingly, you will have an Nginx version that has all of this resolved.

Code: Select all

# apt-cache show nginx | grep Version 
Version: 1.14.0-0ubuntu1.9
Version: 1.14.0-0ubuntu1
# lsb_release -a 
Description:    Ubuntu 18.04.5 LTS
Codename:       bionic
```
 
According to the ubuntu references the latest build 1.14.0-0ubuntu1.9 has all needed fixes for the specified CVEs.
```
[+] CVE-2021-23017 
    https://ubuntu.com/security/CVE-2021-23017
    Ubuntu 18.04 LTS (Bionic Beaver)    Released (1.14.0-0ubuntu1.9)
 
[+] CVE-2018-16843
    https://ubuntu.com/security/CVE-2018-16843
    Ubuntu 18.04 LTS (Bionic Beaver)    Released (1.14.0-0ubuntu1.2)
 
[+] CVE-2019-9511
    https://ubuntu.com/security/CVE-2019-9511
    Ubuntu 18.04 LTS (Bionic Beaver)    Released (1.14.0-0ubuntu1.4)
 
[+] CVE-2019-9513
    https://ubuntu.com/security/CVE-2019-9513
    Ubuntu 18.04 LTS (Bionic Beaver)    Released (1.14.0-0ubuntu1.4)
 
[+] CVE-2018-16844
    https://ubuntu.com/security/CVE-2018-16844
    Ubuntu 18.04 LTS (Bionic Beaver)    Released (1.14.0-0ubuntu1.2)
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
b.vanhaastrecht
Service Provider
Posts: 880
Liked: 164 times
Joined: Aug 26, 2013 7:46 am
Full Name: Bastiaan van Haastrecht
Location: The Netherlands
Contact:

Re: VBA appliance vulnerable for multiple CVE's

Post by b.vanhaastrecht »

Apperently the vulnerability scanner does not detect the installed nginx version well enough. It detects:

Code: Select all

The host carries the product: cpe:/a:nginx:nginx:1.14.0
While installed:

Code: Select all

Version: 1.14.0-0ubuntu1.9
Version: 1.14.0-0ubuntu1.7
Version: 1.14.0-0ubuntu1
I have raised a ticket at the vulnerability scanner people. They need to determine its a CVE or scanner problem.

Thanks for checking!
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
nielsengelen
Product Manager
Posts: 5797
Liked: 1215 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: VBA appliance vulnerable for multiple CVE's

Post by nielsengelen »

Hi Bastiaan,

It's mostly a scanner problem from the looks of it. Ubuntu tends to resolve CVE's in a separate way for certain products compared to just updating the build number :-). Hopefully it helps for the improvement.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests