It happened again.
Shortly after Veeam informed the world about new security issues with VBR, the only way we could fix it was to perform a full installation of the next maintenance release. Last time 12.1 -> 12.2, this was also the only way to proceed and we were told that there were so many groundbreaking changes that no patch could be offered.
And this time? 12.3 - with so many changes and new features, it would have even deserved a version 13.0 and again not a simple patch.
Just before Christmas, I now have to update many servers with a major new version.
And the first steps with this version are not promising:
- VC++ components fail during setup and need to be installed manually
- Setup fails the first time with PostgreSQL issue (we use MS SQL)
- PostgreSQL is installed – we don't need it
- Linux repo server has: "Installing Installer Service Error: Unable to invoke /opt/veeam/deployment/veeamdeploymentsvc command because it was not found"
This is not in the customer's interest!
-
Spex
- Enthusiast
- Posts: 83
- Liked: 11 times
- Joined: May 09, 2012 12:52 pm
- Full Name: Stefan Holzwarth
- Contact:
-
Gostev
- Chief Product Officer
- Posts: 32365
- Liked: 7722 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Where is a patch for 12.2
Actually you don't have to update to 12.3 to address these vulnerabilities, you can instead just apply simple mitigations documented in the KB article.
-
Spex
- Enthusiast
- Posts: 83
- Liked: 11 times
- Joined: May 09, 2012 12:52 pm
- Full Name: Stefan Holzwarth
- Contact:
Re: Where is a patch for 12.2
Thx for pointing me to the mitigations - I wasn't aware of them.
But looking now closer these mitigations are not strong (trust vbr users with a role to not use the expoit) or not very easy to use in practise: the agent problem can be mitigated by analyzing whether all agent backuped servers have path settings with untrusted paths. These ar servers of my customers...
So the question remains for me why are there no patches.
But looking now closer these mitigations are not strong (trust vbr users with a role to not use the expoit) or not very easy to use in practise: the agent problem can be mitigated by analyzing whether all agent backuped servers have path settings with untrusted paths. These ar servers of my customers...
So the question remains for me why are there no patches.
-
Gostev
- Chief Product Officer
- Posts: 32365
- Liked: 7722 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Where is a patch for 12.2
Because these are not Critical severity issues which have very low potential of exploitability (they require an authenticated OS user with a backup server role assigned) and have simple mitigations available which completely address the vulnerabilities, even if you for some reason call them "not strong" (note there are no such term in security when it comes to vulnerability mitigation: it either mitigates vulnerability, or it does not).
Who is online
Users browsing this forum: No registered users and 34 guests