Veeam 11 and previous security issues

[Coldfirex]

Howdy,
I was curious if Veeam 11 would include some of the requested changes in regards to vulnerabilities, etc. that exist in Veeam 10?

Bump Virtual Labs linux VMs hardware version higher than 7 (a vmware Skyline finding; Case#04212015)
Veeam for Nutanix B&R add-on ships with vulnerable Microsoft .NET Core runtime version (Case #04145189)
Vulnerable Apache version in Virtual Labs linux VM (Tenable finding; Case #04040462)
Use of TLS1.0 in Virtual Labs linux VM (Tenable finding; Case #04040462)

Thanks!

[veremin]

Hi, Alan,

I've reached our security team to get update regarding the reported vulnerabilities; will write back, once I have more information to share.

Thanks!

[veremin]

1) It seems more like a feature request than a security vulnerability - update Virtual Lab hardware version. The feature request is tracked, however, I cannot provide any ETA right now
2) 3) 4) Fixed in v11

[Gostev]

@veremin let's move the req for 1 to v12, since we plan to drop support for some older ESXi versions there, and this is directly connected to the virtual hardware version we can use for the appliance.

[Coldfirex]

Perfect, thanks for confirming!!

[veremin]

Tracked as a requirement for v12.

[Coldfirex]

Howdy @veremin and @Gostev.
It appears items 2,3, and 4 are *not* fixed in v11. We just checked the versions and ran the vulnerability scanner.

[HannesK]

Hello,
can you explain maybe more in details?

2: a fresh installed VBR server shows me only Microsoft .NET Core Runtime 3.1.10 installed

3&4: apache was upgraded to 2.4.43 (was 2.4.10 when you tested). There was a hotfix for V10 and I also checked my V11 installation

Best regards,
Hannes

[Coldfirex]

2. It comes with 3.1.10 which has known security vulnerabilities for main B&R. The AHV add-on installs an older .NET Core 2.1.x version alongside it also with vulnerabilities.
3. Yes, I can confirm that but since that release came out in April 2020 it has numerous known security vulnerabilities.
4. TLS 1.0 is still enabled in the labs linux VM.

[Gostev]

I checked and 3.1.10 was the latest release available when we were shipping V11. So I'm not sure what are your expectations here when you say item 2 was *not* fixed in V11, and what should have we done differently with V11.

Of course, all software and components we use will have new security vulnerabilities discovered continuously, so we will keep including their newer versions with each minor and major release Veeam Backup & Replication just like we've done before. And other components and plug-ins will do the same too, according to their own release cadence.

For TLS, I checked with the devs and actually the plan is to remove HTTPS transport from there completely in v12, because we don't transmit any secrets through that channel anyway: it is used solely to see if the appliance has booted up and is ready for action. So we will switch to plain HTTP, which in turn would solve the insecure TLS version issue