Host-based backup of VMware vSphere VMs.
Post Reply
s2dt
Service Provider
Posts: 5
Liked: never
Joined: Feb 06, 2018 6:08 am
Full Name: Sven Schaffranneck
Contact:

ssleay32.dll 0.9.8t security vulnerability

Post by s2dt »

Hi folks,

our vulnerability scan returns an old openssl library in up2date v12 P20230718.

We found C:\Program Files (x86)\Veeam\Backup Transport\x64\vix\ssleay32.dll within version 0.9.8t on all several Veeam Server, even on Agents or Proxy Server.
This release contains several know security issues:
CVE-2016-0703
CVE-2016-0704
CVE-2015-3195
CVE-2015-1792
and much more (https://www.openssl.org/news/vulnerabilities-0.9.8.html)

Newest release of openssl 0.9.8 is 0.9.8zh (https://abi-laboratory.pro/?view=timeline&l=openssl).

I already opened a case (#07027256). Support ignore these information and returns, there is no vulnerabilite known within this library.
In fact, this library seems to be included in VMWARE VDDK Library for using VIX. I already opened a case bei VMware regarding the library, but they ask me to open an SDK-Case, but as we are no development-partner, we are not entitlent to open an VMware SDK case.

Anyone able to confirm this old library in Veeam Directory? Maybe someone else has more luck by creating a veeam case regarding known security issues in their software.

Have a great Day, Sven
Gostev
Chief Product Officer
Posts: 31599
Liked: 7092 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: ssleay32.dll 0.9.8t security vulnerability

Post by Gostev »

Hi, if it's a part of VMware VDDK then there's no point in creating Veeam cases. We will update VDDK in our products once VMware ships an updated version, as a part of our standard process of maintaining 3rd party components up to date. Thanks
s2dt
Service Provider
Posts: 5
Liked: never
Joined: Feb 06, 2018 6:08 am
Full Name: Sven Schaffranneck
Contact:

Re: ssleay32.dll 0.9.8t security vulnerability

Post by s2dt »

Hi Gostev,

thank you. Since this software is bundled an distributed by Veeam, I really hope there is an interesst to close known vulnerabilities. Maybe Veeam is able to address this to VMware as a Technology Partner. I'll keep you updated regarding the open case.

Greets, Sven
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], Semrush [Bot] and 55 guests