Hi folks,
our vulnerability scan returns an old openssl library in up2date v12 P20230718.
We found C:\Program Files (x86)\Veeam\Backup Transport\x64\vix\ssleay32.dll within version 0.9.8t on all several Veeam Server, even on Agents or Proxy Server.
This release contains several know security issues:
CVE-2016-0703
CVE-2016-0704
CVE-2015-3195
CVE-2015-1792
and much more (https://www.openssl.org/news/vulnerabilities-0.9.8.html)
Newest release of openssl 0.9.8 is 0.9.8zh (https://abi-laboratory.pro/?view=timeline&l=openssl).
I already opened a case (#07027256). Support ignore these information and returns, there is no vulnerabilite known within this library.
In fact, this library seems to be included in VMWARE VDDK Library for using VIX. I already opened a case bei VMware regarding the library, but they ask me to open an SDK-Case, but as we are no development-partner, we are not entitlent to open an VMware SDK case.
Anyone able to confirm this old library in Veeam Directory? Maybe someone else has more luck by creating a veeam case regarding known security issues in their software.
Have a great Day, Sven
-
- Service Provider
- Posts: 5
- Liked: never
- Joined: Feb 06, 2018 6:08 am
- Full Name: Sven Schaffranneck
- Contact:
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: ssleay32.dll 0.9.8t security vulnerability
Hi, if it's a part of VMware VDDK then there's no point in creating Veeam cases. We will update VDDK in our products once VMware ships an updated version, as a part of our standard process of maintaining 3rd party components up to date. Thanks
-
- Service Provider
- Posts: 5
- Liked: never
- Joined: Feb 06, 2018 6:08 am
- Full Name: Sven Schaffranneck
- Contact:
Re: ssleay32.dll 0.9.8t security vulnerability
Hi Gostev,
thank you. Since this software is bundled an distributed by Veeam, I really hope there is an interesst to close known vulnerabilities. Maybe Veeam is able to address this to VMware as a Technology Partner. I'll keep you updated regarding the open case.
Greets, Sven
thank you. Since this software is bundled an distributed by Veeam, I really hope there is an interesst to close known vulnerabilities. Maybe Veeam is able to address this to VMware as a Technology Partner. I'll keep you updated regarding the open case.
Greets, Sven
Who is online
Users browsing this forum: Bing [Bot] and 20 guests