Comprehensive data protection for all workloads
mkretzer
Veeam Legend
Posts: 1203
Liked: 417 times
Joined: Dec 17, 2015 7:17 am
Contact:

Critical V11 and V12 vunerablility?

Post by mkretzer » 1 person likes this post

Hello,

does anyone here have more info about this: https://www.reddit.com/r/Veeam/comments ... erability/

Is there a workaround other than patch installation?

Markus
DanielJ
Service Provider
Posts: 240
Liked: 44 times
Joined: Jun 10, 2019 12:19 pm
Full Name: Daniel Johansson
Contact:

Re: Critical V11 and V12 vunerablility?

Post by DanielJ »

Can we get some actual information on this? I haven't got any mail. I would expect info such as this to be published here on the forum.
JamesMcG
Enthusiast
Posts: 39
Liked: 8 times
Joined: Jul 11, 2012 3:39 pm
Full Name: James McGuinness
Contact:

Re: Critical V11 and V12 vunerablility?

Post by JamesMcG »

Why is the patched version (11.0.1.1261) the same as the one I updated to last year as well?
Gostev
Chief Product Officer
Posts: 31806
Liked: 7300 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Critical V11 and V12 vunerablility?

Post by Gostev » 1 person likes this post

@mkretzer the workaround is documented following the link you posted.

@DanielJ you can read all actual information following the same link. As always, we will update the sticky once the KB articles (with the same exact info as above) are published and link them there. Our GIS team requested email notifications are sent to our customers first before making this information public in a form of KB articles. Make sure you're not unsubscribed from Veeam communications.

@JamesMcG it's not the same, the cumulative patch level is different (you had P2022XXXX, this one is P2023XXXX).
Gostev
Chief Product Officer
Posts: 31806
Liked: 7300 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Critical V11 and V12 vunerablility?

Post by Gostev »

DanielJ wrote: Mar 07, 2023 6:25 pmI would expect info such as this to be published here on the forum.
May or not be published depending on severity, whether the PM responsible for the particular product is available or is on vacation, and so on and so forth. Not the purpose of this forum really. I recommend subscribing to the Support KB instead (see at the top of this page), this one is automated and is not dependent on a "human factor" :)
DanielJ
Service Provider
Posts: 240
Liked: 44 times
Joined: Jun 10, 2019 12:19 pm
Full Name: Daniel Johansson
Contact:

Re: Critical V11 and V12 vunerablility?

Post by DanielJ »

Thanks, but all I can see is a post on Reddit. I'll wait until I can read the updated KB articles.
mkretzer
Veeam Legend
Posts: 1203
Liked: 417 times
Joined: Dec 17, 2015 7:17 am
Contact:

Re: Critical V11 and V12 vunerablility?

Post by mkretzer »

Gostev wrote: Mar 07, 2023 6:37 pm@mkretzer the workaround is documented following the link you posted.
So the workaround just works on installations with no remote components?
Gostev
Chief Product Officer
Posts: 31806
Liked: 7300 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Critical V11 and V12 vunerablility?

Post by Gostev »

That is correct... which is basically a third of all Veeam installs, so it was worth mentioning as an option.

The support KB articles are now published, and I've updated the sticky ALL VERSIONS topic with them.
Regnor
VeeaMVP
Posts: 1007
Liked: 314 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: Critical V11 and V12 vunerablility?

Post by Regnor »

@Anton: Do only customers with active contracts get such notifications? I haven't received this one nor another critical issue some time ago, but do get all other general notifications(releases, events,...).
LickABrick
Enthusiast
Posts: 67
Liked: 31 times
Joined: Dec 23, 2019 7:26 pm
Full Name: Lick A Brick
Contact:

Re: Critical V11 and V12 vunerablility?

Post by LickABrick »

@Regnor, you can subscribe via: https://www.veeam.com/knowledge-base.html
Regnor
VeeaMVP
Posts: 1007
Liked: 314 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: Critical V11 and V12 vunerablility?

Post by Regnor »

Those are the weekly digests, which I already receive, but I'm referring to the mailing posted in reddit.
LickABrick
Enthusiast
Posts: 67
Liked: 31 times
Joined: Dec 23, 2019 7:26 pm
Full Name: Lick A Brick
Contact:

Re: Critical V11 and V12 vunerablility?

Post by LickABrick »

It says: Want to receive a weekly summary of the latest KB updates or immediate notices about Security Advisories?

So it should notify you quite fast. Reddit posts can be edited so I assume they can post those a little earlier.
HYF_JE
Enthusiast
Posts: 50
Liked: 7 times
Joined: Jan 24, 2023 11:14 pm
Contact:

Re: Critical V11 and V12 vunerablility?

Post by HYF_JE »

Disclaimer: Veeam novice.

I'm sure this is the case based on the contents of the KBs but to verify - this vulnerability does NOT affect Veeam ONE and Veeam Backup Enterprise Manager, correct? Only VBR?
mkaec
Veteran
Posts: 465
Liked: 136 times
Joined: Jul 16, 2015 1:31 pm
Full Name: Marc K
Contact:

Re: Critical V11 and V12 vunerablility?

Post by mkaec »

I've been changing the passwords of the credentials stored in Veeam as a precaution. There are a few I did not create and cannot remove. They appear to be default. I don't remember setting their passwords or giving them to an external system. If that's the case, are there even any passwords stored that would pose a risk?

Provider-side network extension appliance credentials
Helper appliance credentials
Tenant-side network extension appliance credentials
Azure helper appliance credentials
rgmueller
Enthusiast
Posts: 27
Liked: 4 times
Joined: Dec 21, 2018 4:35 pm
Contact:

Re: Critical V11 and V12 vunerablility?

Post by rgmueller »

What is meant by "remote components"? We have AWS VTLs. I have a local physical VBR server and2 local physical servers that are mainly repository servers. I assume I need to apply this patch?
edh
Service Provider
Posts: 290
Liked: 91 times
Joined: Nov 02, 2020 2:48 pm
Full Name: Manuel Rios
Location: Madrid, Spain
Contact:

[MERGED] Re: V12 Patch P20230223

Post by edh »

Can anyone in Veeam work for improve comunication for critical patches?

Not just a post in Reddit before service providers got knowleage.

Maybe a Email notification, as your marketing department do for "selling" features.

I think that is not the way to notify us of a security event through Reddit.
Mildur
Product Manager
Posts: 9847
Liked: 2607 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Critical V11 and V12 vunerablility?

Post by Mildur »

@edh
I moved your comment. Please use this topic and not the other one. The other one was VSPC related.

We will check why you didn‘t have received a mail as others have and give you a feedback.

Thank you.
Fabian
Product Management Analyst @ Veeam Software
DavidCNZ
Novice
Posts: 5
Liked: never
Joined: Aug 17, 2016 2:38 am
Contact:

Re: Critical V11 and V12 vunerablility?

Post by DavidCNZ »

Hi,

Considering the criticality of this patch I was surprised to find that when I tried to install it I can't because we don't currently have maintenance. We will have it renewed soon but the company is in the process of part of it transferring to a new owner so things like maintenance tend to be on hold.

Veeam has a long-standing commitment to ensuring our products protect customers from any potential risk.

... but only if you've paid your maintenance. I can understand this if it had been for an old version but for a recently expired v11?

Regards
David
Gostev
Chief Product Officer
Posts: 31806
Liked: 7300 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Critical V11 and V12 vunerablility?

Post by Gostev »

The emphasis is on "our customers", which you are currently not. Think of it as if you did not renew your Netflix subscription. This is nothing new really, has been in Veeam EULA for 15 years now:
5.0 Maintenance and Support [...] Software updates cannot be applied to the Software with an expired Maintenance plan.
Having said that, depending on your scenario you can potentially use a workaround.
Gostev
Chief Product Officer
Posts: 31806
Liked: 7300 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: [MERGED] Re: V12 Patch P20230223

Post by Gostev » 1 person likes this post

edh wrote: Mar 07, 2023 9:24 pmMaybe a Email notification, as your marketing department do for "selling" features.
Email notifications are being sent out, the Reddit post is the very result of those, Due to the sheer size of the Veeam customer base, it will take a few days. They just cannot be done instantly to all 500K+ customers without Veeam getting automatically banned worldwide for spam.

The world of big numbers is really peculiar.
Gostev
Chief Product Officer
Posts: 31806
Liked: 7300 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Critical V11 and V12 vunerablility?

Post by Gostev »

rgmueller wrote: Mar 07, 2023 9:21 pm What is meant by "remote components"? We have AWS VTLs. I have a local physical VBR server and2 local physical servers that are mainly repository servers. I assume I need to apply this patch?
Yes, you do - since you have your backup repositories on different servers than your backup server.
Gostev
Chief Product Officer
Posts: 31806
Liked: 7300 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Critical V11 and V12 vunerablility?

Post by Gostev »

HYF_JE wrote: Mar 07, 2023 9:18 pmI'm sure this is the case based on the contents of the KBs but to verify - this vulnerability does NOT affect Veeam ONE and Veeam Backup Enterprise Manager, correct? Only VBR?
That is correct.
BennyDC
Enthusiast
Posts: 50
Liked: 8 times
Joined: Mar 03, 2017 3:24 pm
Full Name: Benny De Cock
Contact:

Re: Critical V11 and V12 vunerablility?

Post by BennyDC »

Hi,
is a database backup recommend before running this update?
Mildur
Product Manager
Posts: 9847
Liked: 2607 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Critical V11 and V12 vunerablility?

Post by Mildur »

Hi Benny

You should have a daily configuration backup already.
But it's always recommended to create a manual configuration backup before an update.

Best,
Fabian
Product Management Analyst @ Veeam Software
apolloxm
Expert
Posts: 109
Liked: 11 times
Joined: Aug 27, 2021 12:29 am
Contact:

Re: Critical V11 and V12 vunerablility?

Post by apolloxm »

we had veeam agent for windows in our environment,if we installed this patch, do we need to reboot veeam agent for windows
? or just reboot veeam vbr server
Mildur
Product Manager
Posts: 9847
Liked: 2607 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Critical V11 and V12 vunerablility?

Post by Mildur »

Veeam VBR Server. The patch only updates the VBR server.
There is no new Agent build within the patch.

Best,
Fabian
Product Management Analyst @ Veeam Software
Cragdoo
Veeam Vanguard
Posts: 629
Liked: 251 times
Joined: Sep 27, 2011 12:17 pm
Full Name: Craig Dalrymple
Location: Scotland
Contact:

Re: Critical V11 and V12 vunerablility?

Post by Cragdoo »

Just checking the emergency patches are not a breaking release, e.g. customers upgrade before MSPs will still be able to use VCC services?
UnknownUser468
Lurker
Posts: 1
Liked: never
Joined: Feb 20, 2023 2:26 pm
Contact:

Re: Critical V11 and V12 vunerablility?

Post by UnknownUser468 »

Do I understand correctly that the patch only needs to be installed on the VBR server? On my other proxy and repo server the patch does not need to be installed?
Gostev
Chief Product Officer
Posts: 31806
Liked: 7300 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Critical V11 and V12 vunerablility?

Post by Gostev »

Cragdoo wrote: Mar 08, 2023 11:02 am Just checking the emergency patches are not a breaking release, e.g. customers upgrade before MSPs will still be able to use VCC services?
Correct, this is not a breaking patch for VCC.
Gostev
Chief Product Officer
Posts: 31806
Liked: 7300 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Critical V11 and V12 vunerablility?

Post by Gostev »

UnknownUser468 wrote: Mar 08, 2023 11:06 am Do I understand correctly that the patch only needs to be installed on the VBR server? On my other proxy and repo server the patch does not need to be installed?
Yes, patches are always installed on a backup server only.

As far as the remote components, you will see the answer when going through the patch wizard :D basically, it can trigger their update automatically for you (following the patch installation) or you can do the same manually later in the backup console. Obviously, this only applies to patches that actually update modules of the remote components, and I believe this particular patch is not one of them. [EDIT] Not correct, it needs to patch Windows servers which are acting as mount servers for your repositories (usually they are the same servers as your Windows-based repository servers).
Post Reply

Who is online

Users browsing this forum: Bing [Bot], d.artzen and 244 guests