Discussions specific to the VMware vSphere hypervisor
Post Reply
controlfreak
Enthusiast
Posts: 46
Liked: 5 times
Joined: Jan 12, 2018 11:20 pm
Full Name: Control
Location: Washington, USA
Contact:

Include Security Fixes in Release Notes

Post by controlfreak » Jan 31, 2019 7:04 pm

We have compliance requirements to evaluate software patches/updates for security fixes within 30 days of release. Currently, Veeam product release notes do not contain a list of bug fixes or security fixes. This is somewhat unusual for software release notes. Please include at a minimum, security fixes in the release notes.

These documents don't contain any bugfix/security fix informtion.
https://www.veeam.com/veeam_agent_windo ... _en_rn.pdf
https://www.veeam.com/veeam_backup_9_5_ ... tes_rn.pdf

This document points out (page 19) that OpenSSL vulnerabilities have been fixed, but do not clarify if it is in Veeam One, Veeam Backup and Replication, or with Veeam Agent for windows. As such, I have to assume that the agent 3.0 release contains security fixes for OpenSSL.
https://www.veeam.com/veeam_backup_9_5_whats_new_wn.pdf

I worked with my account manager to get this information, and they suggested creating a forum post to generate interest for the "Feature". Please add security and bug fix information to release notes.

Thanks,

-Control

Gostev
SVP, Product Management
Posts: 24787
Liked: 3518 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Include Security Fixes in Release Notes

Post by Gostev » Jan 31, 2019 9:52 pm

Thanks, good suggestion. I do remember mentioning some security fixes in the What's New for Update 4, particularly around storage integrations. I will see how can we do a better job tracking them as regular "new features", so that they don't get lost. I have an idea that should work without causing too much pain to anyone in R&D.

controlfreak
Enthusiast
Posts: 46
Liked: 5 times
Joined: Jan 12, 2018 11:20 pm
Full Name: Control
Location: Washington, USA
Contact:

Re: Include Security Fixes in Release Notes

Post by controlfreak » Jan 31, 2019 10:53 pm

Great, thanks. Looking forward to what you come up with.

controlfreak
Enthusiast
Posts: 46
Liked: 5 times
Joined: Jan 12, 2018 11:20 pm
Full Name: Control
Location: Washington, USA
Contact:

Re: Include Security Fixes in Release Notes

Post by controlfreak » Mar 27, 2019 6:24 pm

Hey Gostev,

I am doing patch evaluation for NERC CIP Compliance today (every 30 day process). Agent version 3.0.1 released, but the release notes do not contain any fix information. I can't determine if it is a security patch due to this lack of information. Can you please confirm for me if the agent update contains any security or vulnerability fixes?

More on this topic, KB2926 states: "In addition, Update 4a addresses over 300 minor Update 4 bugs reported by customers and found during the internal testing."

It would be extremely helpful to have access to the full bugfix list so I can effectively evaluate veeam updates for security fixes. If not, I really need a way to confirm that those 400 bugfixes do not contain a security fix.

Due to the inadequate release notes for the new agent 3.0.1, I'll be forced to install the newest agent on all our CIP classified critical assets unless I can confirm by Thursday that the update doesn't contain a security fix. Due to these compliance requirements, I would be running a very new agent version that released yesterday on critical bulk electric system assets. It would be AWESOME if I could say without a doubt whether or not an agent update contains security fixes. If they don't, I can choose to deploy to critical systems after a thorough test period.

Thanks for listening to my compliance woes!

Control

P.Tide
Product Manager
Posts: 5260
Liked: 459 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Include Security Fixes in Release Notes

Post by P.Tide » Mar 28, 2019 11:03 am

Hi,
Can you please confirm for me if the agent update contains any security or vulnerability fixes?
Which agent are you referring to?
It would be extremely helpful to have access to the full bugfix list so I can effectively evaluate veeam updates for security fixes. If not, I really need a way to confirm that those 400 bugfixes do not contain a security fix.
That is, you are ok with either of ways:

a) An official statement that says "no security fixes included". In this case you'll be able to "skip" the update and perform your own tests for as long as you please in order to feel comfortable with installing the update.

b) An official list of fixed bugs with descriptions OR an official statement that says: "contains security fixes". If the latter, then you'll have to install it right away. If the former, you'll have to examine the list in order to figure if there are any security fixes.

Is that correct?
I would be running a very new agent version that released yesterday on critical bulk electric system assets.
That doesn't sound right to me. IMO, when things come to critical systems, every new software release has to brew for while in a test polygon, no matter what the software vendor claims. One doesn't simply install the newest stuff on the the next day after release.

Thanks!

controlfreak
Enthusiast
Posts: 46
Liked: 5 times
Joined: Jan 12, 2018 11:20 pm
Full Name: Control
Location: Washington, USA
Contact:

Re: Include Security Fixes in Release Notes

Post by controlfreak » Mar 28, 2019 8:13 pm

Hi PTide, Happy to clarify.

I am looking at the newest agent release, version 3.0.1. We are required by NERC CIP-007 R2.2 to evaluate security patches for applicability within 35 days of release.

Acceptable evidence for the patch evaluation process includes release notes containing bugfix information that we can review to make a determination, or a statement from the vendor that release x.y does not contain any security fixes. We could use either.

In the case of a security patch being released, I do need technical information about the vulnerability or a CVE number. The reason for this is that NERC CIP R2.3 requires that we install security patches within 35 days of the evaluation date, or that we create a security patch mitigation plan within 35 days of the evaluation. We have the option to mitigate security patches if we are concerned about production impact, but we can't create a mitigation plan without technical details of the vulnerability. The mitigation plan requires us to document details of the vulnerability, technical controls to mitigate the vulnerability, and a date for the end of the mitigation (the end of mitigation requiring patch installation or software version update to non-vulnerable version). The mitigation plan has to be signed off by upper management and submitted to the regulators, so it must be adequately detailed and accurate.

Regarding testing prior to deployment, we always test on dev systems prior to deployment to production. Our patch cycle includes an evaluation install week and multiple production install weeks, with the most critical system being patched several weeks after the evaluation assets.

Ultimately, in order to make informed decisions regarding our compliance patch program, we need timely information about security fixes contained in veeam software releases. We do this every month, so a self-help option is preferred to opening a support ticket every month. Veeam is the only vendor for which I evaluate patches that doesn't put this information in the release notes.

Let me know if you need any other specific detail.

Thanks,

Control

P.Tide
Product Manager
Posts: 5260
Liked: 459 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Include Security Fixes in Release Notes

Post by P.Tide » Mar 29, 2019 2:24 pm

Thank you for the clarification. I guess you want such lists to be maintained for both agents (we have two of them - for Windows and for Linux, and both go with the same version number 3.0.1).

Thanks!

controlfreak
Enthusiast
Posts: 46
Liked: 5 times
Joined: Jan 12, 2018 11:20 pm
Full Name: Control
Location: Washington, USA
Contact:

Re: Include Security Fixes in Release Notes

Post by controlfreak » Apr 01, 2019 11:22 pm

Currently we only use the windows agent, but we would support the change on both to be future proof!

michaelsbak
Lurker
Posts: 2
Liked: 2 times
Joined: Apr 17, 2019 11:31 pm
Full Name: Michael Martin
Contact:

Re: Include Security Fixes in Release Notes

Post by michaelsbak » Apr 17, 2019 11:38 pm 1 person likes this post

This would be very helpful for me as well.

Post Reply

Who is online

Users browsing this forum: No registered users and 18 guests