Using PostgreSQL for VBR Database? Check your version CVE in PostgreSQL

[hwextreme]

Hi all

We noticed that there is a CVE 2024-7348 CVSS=8.8 for PostgreSQL that is fixed in version 15.8+ /16.4+ we are running version of Veeam 12.2 due to the security fixes, but noticed on our test servers that Postgres is still 15.6, it seems that this is not upgraded when you upgrade Veeam BR even though it is included in the 12.2 package, it must be performed manually afterwards.
As this is not disclosed in the release notes for 12.2 considering it already contained several security fixes, or in the V12 user guide from what I can see, I would suggest checking your version installed to see if you need to upgrade it.

We have always used dedicated SQL servers for Veeam, so they have been automatically patched by our DBA team, but with Postgres installed by the Veeam installer package we assumed it would be updated with the Veeam applications, as this has been the normal situation with our other backup products that install a database server.

https://www.postgresql.org/support/secu ... 2024-7348/

Phil

[Mildur]

Hello Phil

Our plan is to include automatic PostgreSQL patching with VBR updates in one of the upcoming releases. But for now, you must update PostgreSQL manually.

Please note that all new deployments already use the PostgreSQL v15.8 installer from our ISO (VeeamBackup&Replication_12.2.0.334_20240913.iso). You can check the installer on the ISO.

Code: Select all

"\Redistr\x64\PostgreSQL\15.8-1\postgresql-15.8-1-windows-x64.exe"

Best regards,
Fabian

[hwextreme]

Thanks Fabian, That would be great and will ensure that customers backup environments are safer.