Critical V11 and V12 vunerablility?

[mkretzer]

Hello,

does anyone here have more info about this: https://www.reddit.com/r/Veeam/comments ... erability/

Is there a workaround other than patch installation?

Markus

[DanielJ]

Can we get some actual information on this? I haven't got any mail. I would expect info such as this to be published here on the forum.

[JamesMcG]

Why is the patched version (11.0.1.1261) the same as the one I updated to last year as well?

[Gostev]

@mkretzer the workaround is documented following the link you posted.

@DanielJ you can read all actual information following the same link. As always, we will update the sticky once the KB articles (with the same exact info as above) are published and link them there. Our GIS team requested email notifications are sent to our customers first before making this information public in a form of KB articles. Make sure you're not unsubscribed from Veeam communications.

@JamesMcG it's not the same, the cumulative patch level is different (you had P2022XXXX, this one is P2023XXXX).

[Gostev]

I would expect info such as this to be published here on the forum.

May or not be published depending on severity, whether the PM responsible for the particular product is available or is on vacation, and so on and so forth. Not the purpose of this forum really. I recommend subscribing to the Support KB instead (see at the top of this page), this one is automated and is not dependent on a "human factor"

[DanielJ]

Thanks, but all I can see is a post on Reddit. I'll wait until I can read the updated KB articles.

[mkretzer]

@mkretzer the workaround is documented following the link you posted.

So the workaround just works on installations with no remote components?

[Gostev]

That is correct... which is basically a third of all Veeam installs, so it was worth mentioning as an option.

The support KB articles are now published, and I've updated the sticky ALL VERSIONS topic with them.

[Regnor]

@Anton: Do only customers with active contracts get such notifications? I haven't received this one nor another critical issue some time ago, but do get all other general notifications(releases, events,...).

[LickABrick]

@Regnor, you can subscribe via: https://www.veeam.com/knowledge-base.html

[Regnor]

Those are the weekly digests, which I already receive, but I'm referring to the mailing posted in reddit.

[LickABrick]

It says: Want to receive a weekly summary of the latest KB updates or immediate notices about Security Advisories?

So it should notify you quite fast. Reddit posts can be edited so I assume they can post those a little earlier.

[HYF_JE]

Disclaimer: Veeam novice.

I'm sure this is the case based on the contents of the KBs but to verify - this vulnerability does NOT affect Veeam ONE and Veeam Backup Enterprise Manager, correct? Only VBR?

[mkaec]

I've been changing the passwords of the credentials stored in Veeam as a precaution. There are a few I did not create and cannot remove. They appear to be default. I don't remember setting their passwords or giving them to an external system. If that's the case, are there even any passwords stored that would pose a risk?

Provider-side network extension appliance credentials
Helper appliance credentials
Tenant-side network extension appliance credentials
Azure helper appliance credentials

[rgmueller]

What is meant by "remote components"? We have AWS VTLs. I have a local physical VBR server and2 local physical servers that are mainly repository servers. I assume I need to apply this patch?

[edh]

Can anyone in Veeam work for improve comunication for critical patches?

Not just a post in Reddit before service providers got knowleage.

Maybe a Email notification, as your marketing department do for "selling" features.

I think that is not the way to notify us of a security event through Reddit.

[Mildur]

@edh
I moved your comment. Please use this topic and not the other one. The other one was VSPC related.

We will check why you didn‘t have received a mail as others have and give you a feedback.

Thank you.
Fabian

[DavidCNZ]

Hi,

Considering the criticality of this patch I was surprised to find that when I tried to install it I can't because we don't currently have maintenance. We will have it renewed soon but the company is in the process of part of it transferring to a new owner so things like maintenance tend to be on hold.

Veeam has a long-standing commitment to ensuring our products protect customers from any potential risk.

... but only if you've paid your maintenance. I can understand this if it had been for an old version but for a recently expired v11?

Regards
David

[Gostev]

The emphasis is on "our customers", which you are currently not. Think of it as if you did not renew your Netflix subscription. This is nothing new really, has been in Veeam EULA for 15 years now:

5.0 Maintenance and Support [...] Software updates cannot be applied to the Software with an expired Maintenance plan.

Having said that, depending on your scenario you can potentially use a workaround.

[Gostev]

Maybe a Email notification, as your marketing department do for "selling" features.

Email notifications are being sent out, the Reddit post is the very result of those, Due to the sheer size of the Veeam customer base, it will take a few days. They just cannot be done instantly to all 500K+ customers without Veeam getting automatically banned worldwide for spam.

The world of big numbers is really peculiar.

[Gostev]

What is meant by "remote components"? We have AWS VTLs. I have a local physical VBR server and2 local physical servers that are mainly repository servers. I assume I need to apply this patch?

Yes, you do - since you have your backup repositories on different servers than your backup server.

[Gostev]

I'm sure this is the case based on the contents of the KBs but to verify - this vulnerability does NOT affect Veeam ONE and Veeam Backup Enterprise Manager, correct? Only VBR?

That is correct.

[BennyDC]

Hi,
is a database backup recommend before running this update?

[Mildur]

Hi Benny

You should have a daily configuration backup already.
But it's always recommended to create a manual configuration backup before an update.

Best,
Fabian

[apolloxm]

we had veeam agent for windows in our environment,if we installed this patch, do we need to reboot veeam agent for windows
? or just reboot veeam vbr server

[Mildur]

Veeam VBR Server. The patch only updates the VBR server.
There is no new Agent build within the patch.

Best,
Fabian

[Cragdoo]

Just checking the emergency patches are not a breaking release, e.g. customers upgrade before MSPs will still be able to use VCC services?

[UnknownUser468]

Do I understand correctly that the patch only needs to be installed on the VBR server? On my other proxy and repo server the patch does not need to be installed?

[Gostev]

Just checking the emergency patches are not a breaking release, e.g. customers upgrade before MSPs will still be able to use VCC services?

Correct, this is not a breaking patch for VCC.

[Gostev]

Do I understand correctly that the patch only needs to be installed on the VBR server? On my other proxy and repo server the patch does not need to be installed?

Yes, patches are always installed on a backup server only.

As far as the remote components, you will see the answer when going through the patch wizard basically, it can trigger their update automatically for you (following the patch installation) or you can do the same manually later in the backup console. Obviously, this only applies to patches that actually update modules of the remote components, and I believe this particular patch is not one of them. [EDIT] Not correct, it needs to patch Windows servers which are acting as mount servers for your repositories (usually they are the same servers as your Windows-based repository servers).