Monitoring and reporting for Veeam Data Platform
Post Reply
jorgedlcruz
Veeam Software
Posts: 1485
Liked: 653 times
Joined: Jul 17, 2015 6:54 pm
Full Name: Jorge de la Cruz
Contact:

Critical Security Update for Veeam ONE - Immediate Action Required

Post by jorgedlcruz » 6 people like this post

We have identified several vulnerabilities that need your attention:
  • CVE-2023-38547: Critical issue with a CVSS v3.1 score of 9.9, enabling information disclosure of SQL server details.
  • CVE-2023-38548: Another critical vulnerability, CVSS v3.1 score of 9.8, allowing NTLM hash acquisition from the Veeam ONE Web Client.
  • CVE-2023-38549: Medium-severity XSS vulnerability with a CVSS v3.1 score of 4.5, allowing role escalation in Veeam ONE.
  • CVE-2023-41723: Medium issue, CVSS v3.1 score of 4.3, where Read-Only Users can view the Dashboard Schedule.
Affected Versions: Veeam ONE 11, 11a, 12

Hotfixes for these vulnerabilities are now available. To address these issues, please refer to Veeam KB article KB4508 for detailed instructions on how to secure your Veeam ONE installations.

Your security is our priority. Stay vigilant!
Jorge de la Cruz
Senior Product Manager | Veeam ONE @ Veeam Software

@jorgedlcruz
https://www.jorgedelacruz.es / https://jorgedelacruz.uk
vExpert 2014-2024 / InfluxAce / Grafana Champion
Pat490
Expert
Posts: 170
Liked: 29 times
Joined: Apr 28, 2015 7:18 am
Full Name: Patrick
Location: Germany
Contact:

Re: Critical Security Update for Veeam ONE - Immediate Action Required

Post by Pat490 »

After applying the HF, should the Patch version be visible in about dialog? For me it still says just "12.0.1.2591"
jorgedlcruz
Veeam Software
Posts: 1485
Liked: 653 times
Joined: Jul 17, 2015 6:54 pm
Full Name: Jorge de la Cruz
Contact:

Re: Critical Security Update for Veeam ONE - Immediate Action Required

Post by jorgedlcruz » 1 person likes this post

Hello,
Nothing visible in the UI anywhere. As they are hotfixes with manual files replacement. Let me check internally if there is any powershell to aid with this.

We are planning to move to a better msi-like approach for future hotfixes releases such as this.

Thank you
Jorge de la Cruz
Senior Product Manager | Veeam ONE @ Veeam Software

@jorgedlcruz
https://www.jorgedelacruz.es / https://jorgedelacruz.uk
vExpert 2014-2024 / InfluxAce / Grafana Champion
lando_uk
Veteran
Posts: 380
Liked: 35 times
Joined: Oct 17, 2013 10:02 am
Full Name: Mark
Location: UK
Contact:

Re: Critical Security Update for Veeam ONE - Immediate Action Required

Post by lando_uk »

Hi
Without a file version increase, then products like Nessus won't be able to detect if the hotfix has been applied or not.

This looks like a rush job to me... Will there be a msi package for this soon?
Gostev
Chief Product Officer
Posts: 31754
Liked: 7259 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Critical Security Update for Veeam ONE - Immediate Action Required

Post by Gostev » 1 person likes this post

Actually, we had patches shipped like that for some years now, so it's nothing new or "rush job". This approach saved us some significant Dev/QA time. We're planning to change this in VBR starting from 12.1 (which requires preparations in 12.1 itself) and I assume Veeam ONE has the same transition planned.
tka
Service Provider
Posts: 11
Liked: 4 times
Joined: Apr 04, 2014 6:24 am
Full Name: Tim
Location: Cologne, Germany
Contact:

Re: Critical Security Update for Veeam ONE - Immediate Action Required

Post by tka »

Hi!

What about Orchestrator which includes Veeam ONE?

Tim
Gostev
Chief Product Officer
Posts: 31754
Liked: 7259 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Critical Security Update for Veeam ONE - Immediate Action Required

Post by Gostev »

All Veeam ONE instances must be updated, including the one in Orchestrator.
davis_b
Enthusiast
Posts: 31
Liked: never
Joined: Jan 03, 2017 3:11 pm
Full Name: Brent Davis
Contact:

Re: Critical Security Update for Veeam ONE - Immediate Action Required

Post by davis_b »

I just attempted to apply the patch to my VeeamONE Orchestrator instance but the reporter service fails to start after replacing the files. I am on the latest version of Orchestrator available 6.0.0.3516 but my VeeamONE instance for Orchestrator is not the required version 12.0.1.2591 needed for the hotfix to work. If I am not mistaken we do not need to be upgrading the VeeamONE instance for Orchestrator out of band of the Orchestrator install as a whole. But the KB states the VeeamONE Orchestrator instance would be affected as well. Is there additional instructions that I am missing in the KB to apply the patch to my VeeamONE Orchestrator instance? Thanks!
jorgedlcruz
Veeam Software
Posts: 1485
Liked: 653 times
Joined: Jul 17, 2015 6:54 pm
Full Name: Jorge de la Cruz
Contact:

Re: Critical Security Update for Veeam ONE - Immediate Action Required

Post by jorgedlcruz »

Hello Davis,
I will verify with QA once again, but meanwhile if you could open a quick ticket with the issue to reflect it officially, that would be great. Share the ticket id with us for tracking.

Will reply as soon as having an answer.
Jorge de la Cruz
Senior Product Manager | Veeam ONE @ Veeam Software

@jorgedlcruz
https://www.jorgedelacruz.es / https://jorgedelacruz.uk
vExpert 2014-2024 / InfluxAce / Grafana Champion
jorgedlcruz
Veeam Software
Posts: 1485
Liked: 653 times
Joined: Jul 17, 2015 6:54 pm
Full Name: Jorge de la Cruz
Contact:

Re: Critical Security Update for Veeam ONE - Immediate Action Required

Post by jorgedlcruz »

Hello Davis,
Yes, it is like you said, you will need exactly need the latest patch: Once you have the latest VRO patch, please apply the Hotfix as per the step by step.

Thank you
Jorge de la Cruz
Senior Product Manager | Veeam ONE @ Veeam Software

@jorgedlcruz
https://www.jorgedelacruz.es / https://jorgedelacruz.uk
vExpert 2014-2024 / InfluxAce / Grafana Champion
chrisr
Influencer
Posts: 18
Liked: 2 times
Joined: May 19, 2022 1:45 pm
Contact:

Re: Critical Security Update for Veeam ONE - Immediate Action Required

Post by chrisr »

Gostev wrote: Nov 07, 2023 8:47 pm All Veeam ONE instances must be updated, including the one in Orchestrator.
Just as learning for the next time, it would be good to include VDRO version in the list of affected versions from the outset (I see it has been added now), and to have the correct paths listed in the documentation, as they are different for the bundled version.
chris.childerhose
Veeam Vanguard
Posts: 631
Liked: 151 times
Joined: Aug 13, 2014 6:03 pm
Full Name: Chris Childerhose
Location: Toronto, ON
Contact:

Re: Critical Security Update for Veeam ONE - Immediate Action Required

Post by chris.childerhose »

I completed this patch, which caused issues with Data Collection for me, so I had to revert it on my main VONE server. Collection is back again, and RnD is working on the case I have open to determine what is causing the warnings and data collection not to work. Case ID - #07006946
-----------------------
Chris Childerhose
Veeam Vanguard / Veeam Legend / Veeam Ceritified Architect / VMCE
vExpert / VCAP-DCA / VCP8 / MCITP
Personal blog: https://just-virtualization.tech
Twitter: @cchilderhose
jorgedlcruz
Veeam Software
Posts: 1485
Liked: 653 times
Joined: Jul 17, 2015 6:54 pm
Full Name: Jorge de la Cruz
Contact:

Re: Critical Security Update for Veeam ONE - Immediate Action Required

Post by jorgedlcruz » 1 person likes this post

Thank you Chris,
Let me take a look on what could be the main issue, will keep you posted.

Appreciated your time.

Regarding VRO, from a few posts before, we make the changes on the KB, and especially indicated the VRO version required to apply the patch, which needs to be latest cumulative update before applying it.

Thank you
Jorge de la Cruz
Senior Product Manager | Veeam ONE @ Veeam Software

@jorgedlcruz
https://www.jorgedelacruz.es / https://jorgedelacruz.uk
vExpert 2014-2024 / InfluxAce / Grafana Champion
chris.childerhose
Veeam Vanguard
Posts: 631
Liked: 151 times
Joined: Aug 13, 2014 6:03 pm
Full Name: Chris Childerhose
Location: Toronto, ON
Contact:

Re: Critical Security Update for Veeam ONE - Immediate Action Required

Post by chris.childerhose »

Thanks, Jorge. They seemed to have figured out the issue based on the last email update I got yesterday, but no fix/resolution just yet. Hopefully, soon, I can patch things again.
-----------------------
Chris Childerhose
Veeam Vanguard / Veeam Legend / Veeam Ceritified Architect / VMCE
vExpert / VCAP-DCA / VCP8 / MCITP
Personal blog: https://just-virtualization.tech
Twitter: @cchilderhose
davis_b
Enthusiast
Posts: 31
Liked: never
Joined: Jan 03, 2017 3:11 pm
Full Name: Brent Davis
Contact:

Re: Critical Security Update for Veeam ONE - Immediate Action Required

Post by davis_b »

jorgedlcruz wrote: Nov 10, 2023 11:02 am Hello Davis,
Yes, it is like you said, you will need exactly need the latest patch: Once you have the latest VRO patch, please apply the Hotfix as per the step by step.

Thank you
Ended up being my mistake. I went back to my Orchestrator and I overlooked the version somehow. I was not running VDRO with the latest cumulative patch that came out in April this year (https://www.veeam.com/kb4437?ad=in-text ... nualupdate). Once I applied the cumulative update, applied the vulnerability patch again (https://www.veeam.com/kb4508?utm_source ... mcomkb4508) service are back up and running again.

User error in the end :cry:

Thanks!
Brent
jorgedlcruz
Veeam Software
Posts: 1485
Liked: 653 times
Joined: Jul 17, 2015 6:54 pm
Full Name: Jorge de la Cruz
Contact:

Re: Critical Security Update for Veeam ONE - Immediate Action Required

Post by jorgedlcruz »

Amazing news, Davis. Thanks a lot for confirming.

Let us know if any problem appears.
Jorge de la Cruz
Senior Product Manager | Veeam ONE @ Veeam Software

@jorgedlcruz
https://www.jorgedelacruz.es / https://jorgedelacruz.uk
vExpert 2014-2024 / InfluxAce / Grafana Champion
Post Reply

Who is online

Users browsing this forum: No registered users and 5 guests