Availability for the Always-On Enterprise
Post Reply
michaelryancook
Expert
Posts: 116
Liked: 14 times
Joined: Nov 26, 2013 6:13 pm
Full Name: Michael Cook
Contact:

OpenSSL version on Veeam Proxy Appliance

Post by michaelryancook » Oct 25, 2017 10:03 pm

Hi all. This is related to Case # 02358134. Our security team recently scanned our environment and the veeam proxy appliance used in SureBackup jobs was flagged as using an older OpenSSL version that has numerous vulnerabilities. We are running Veeam B&R 9.0.0.1715. I logged into the console of the proxy and verified that version 1.0.0 is installed and that the proxy is listening on port 443. We are trying to determine if there are any updates available that would address this vulnerability? Is the same version used in 9.5?

TIA, Michael

foggy
Veeam Software
Posts: 16836
Liked: 1361 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: OpenSSL version on Veeam Proxy Appliance

Post by foggy » Oct 26, 2017 4:21 pm

Hi Michael, the version that comes with the appliance in Veeam B&R v9 and v9.5 should be OpenSSL-1.0.1i and it didn't change in the recent release.

michaelryancook
Expert
Posts: 116
Liked: 14 times
Joined: Nov 26, 2013 6:13 pm
Full Name: Michael Cook
Contact:

Re: OpenSSL version on Veeam Proxy Appliance

Post by michaelryancook » Oct 26, 2017 8:05 pm

Hi Foggy. Ours is definitely OpenSSL-1.0.0 not 1.0.1. We have been told that we need to run OpenSSL-1.0.1u or higher so even v9.5 will not address our issue. I may have to discuss with security to see what the exploit entails to see if we can leave as is.

foggy
Veeam Software
Posts: 16836
Liked: 1361 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: OpenSSL version on Veeam Proxy Appliance

Post by foggy » Oct 27, 2017 2:27 pm 1 person likes this post

We will be updating the appliance in one of the future releases.

michaelryancook
Expert
Posts: 116
Liked: 14 times
Joined: Nov 26, 2013 6:13 pm
Full Name: Michael Cook
Contact:

Re: OpenSSL version on Veeam Proxy Appliance

Post by michaelryancook » Oct 27, 2017 5:06 pm

Thanks Foggy

louis8963
Lurker
Posts: 1
Liked: never
Joined: Nov 09, 2017 6:53 am
Full Name: Chan Kin Hei
Contact:

[MERGED] OpenSSL Security Issue "CVE-2017-3736"

Post by louis8963 » Nov 09, 2017 7:08 am

Hi all,

On 02 Nov 2017, OpenSSL release a Security Advisory talking about the secutiry issue
Ref: https://www.openssl.org/news/secadv/20171102.txt

I like to know is it related to VEEAM product like VEEAM 9.5 backup & replication.

After create case on the VEEAM support.

VEEAM engineer referral and advise me open a topic here.

So, any one can help?

Thanks.

traderma
Lurker
Posts: 2
Liked: never
Joined: Sep 13, 2018 6:31 am
Contact:

[MERGED] VeeamLab: Proxy has numerous vulnerabilities

Post by traderma » Sep 13, 2018 7:19 am

Hi Veeam community,

we use SureBackup to verify our Backups. Our security team regularly performs scans on our network, and noticed that the Veeam proxy appliance that is the proxy to the Veeam VirtualLab environment uses outdated apache and OpenSSL versions (we use the most recent version of Veeam B&R, 9.5.0.1922). The Veeam proxy has the following vulnerabilities:

http://www.tenable.com/plugins/index.ph ... e&id=90888
http://www.tenable.com/plugins/index.ph ... e&id=93814
http://www.tenable.com/plugins/index.ph ... e&id=78555
http://www.tenable.com/plugins/index.ph ... &id=100995
http://www.tenable.com/plugins/index.ph ... e&id=96451
http://www.tenable.com/plugins/index.ph ... &id=101788
http://www.tenable.com/plugins/index.ph ... e&id=89081

Is Veeam going to patch this in future versions? Did anybody notice this before?

Cheers from Austria
Till

traderma
Lurker
Posts: 2
Liked: never
Joined: Sep 13, 2018 6:31 am
Contact:

Re: OpenSSL version on Veeam Proxy Appliance

Post by traderma » Sep 13, 2018 10:17 am

foggy wrote:We will be updating the appliance in one of the future releases.
When will this happen? Apparently security vulnerabilities in the Veeam proxy are known for about a year now. I'd like at least an estimate when this will be fixed, that I can relay to our security team.

foggy
Veeam Software
Posts: 16836
Liked: 1361 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: OpenSSL version on Veeam Proxy Appliance

Post by foggy » Sep 13, 2018 11:34 am

The update had actually already happened at least once since that reply. And it will happen again with the upcoming release of Veeam B&R 9.5 U4 - proxy appliance will contain OpenSSL 1.0.2l there (this version addresses all the mentioned vulnerabilities). I'm currently checking re: Apache version.

foggy
Veeam Software
Posts: 16836
Liked: 1361 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: OpenSSL version on Veeam Proxy Appliance

Post by foggy » Sep 14, 2018 11:53 am

The rest of the mentioned vulnerabilities will also be addressed in U4 (without updating Apache version though - it is not required).

Post Reply

Who is online

Users browsing this forum: Baidu [Spider] and 55 guests