We have identified several vulnerabilities that need your attention:
CVE-2023-38547: Critical issue with a CVSS v3.1 score of 9.9, enabling information disclosure of SQL server details.
CVE-2023-38548: Another critical vulnerability, CVSS v3.1 score of 9.8, allowing NTLM hash acquisition from the Veeam ONE Web Client.
CVE-2023-38549: Medium-severity XSS vulnerability with a CVSS v3.1 score of 4.5, allowing role escalation in Veeam ONE.
CVE-2023-41723: Medium issue, CVSS v3.1 score of 4.3, where Read-Only Users can view the Dashboard Schedule.
Affected Versions: Veeam ONE 11, 11a, 12
Hotfixes for these vulnerabilities are now available. To address these issues, please refer to Veeam KB article KB4508 for detailed instructions on how to secure your Veeam ONE installations.
Your security is our priority. Stay vigilant!
Jorge de la Cruz
Senior Product Manager | Veeam ONE @ Veeam Software
Hello,
Nothing visible in the UI anywhere. As they are hotfixes with manual files replacement. Let me check internally if there is any powershell to aid with this.
We are planning to move to a better msi-like approach for future hotfixes releases such as this.
Thank you
Jorge de la Cruz
Senior Product Manager | Veeam ONE @ Veeam Software
Actually, we had patches shipped like that for some years now, so it's nothing new or "rush job". This approach saved us some significant Dev/QA time. We're planning to change this in VBR starting from 12.1 (which requires preparations in 12.1 itself) and I assume Veeam ONE has the same transition planned.
I just attempted to apply the patch to my VeeamONE Orchestrator instance but the reporter service fails to start after replacing the files. I am on the latest version of Orchestrator available 6.0.0.3516 but my VeeamONE instance for Orchestrator is not the required version 12.0.1.2591 needed for the hotfix to work. If I am not mistaken we do not need to be upgrading the VeeamONE instance for Orchestrator out of band of the Orchestrator install as a whole. But the KB states the VeeamONE Orchestrator instance would be affected as well. Is there additional instructions that I am missing in the KB to apply the patch to my VeeamONE Orchestrator instance? Thanks!
Hello Davis,
I will verify with QA once again, but meanwhile if you could open a quick ticket with the issue to reflect it officially, that would be great. Share the ticket id with us for tracking.
Will reply as soon as having an answer.
Jorge de la Cruz
Senior Product Manager | Veeam ONE @ Veeam Software
Gostev wrote: ↑Nov 07, 2023 8:47 pm
All Veeam ONE instances must be updated, including the one in Orchestrator.
Just as learning for the next time, it would be good to include VDRO version in the list of affected versions from the outset (I see it has been added now), and to have the correct paths listed in the documentation, as they are different for the bundled version.
I completed this patch, which caused issues with Data Collection for me, so I had to revert it on my main VONE server. Collection is back again, and RnD is working on the case I have open to determine what is causing the warnings and data collection not to work. Case ID - #07006946
Thank you Chris,
Let me take a look on what could be the main issue, will keep you posted.
Appreciated your time.
Regarding VRO, from a few posts before, we make the changes on the KB, and especially indicated the VRO version required to apply the patch, which needs to be latest cumulative update before applying it.
Thank you
Jorge de la Cruz
Senior Product Manager | Veeam ONE @ Veeam Software
Thanks, Jorge. They seemed to have figured out the issue based on the last email update I got yesterday, but no fix/resolution just yet. Hopefully, soon, I can patch things again.
