Vulnerability detection software may issue false positive alerts based merely on the fact that the libcurl library file is present on a machine where the Veeam Transport Service has been deployed. Below is a list of component roles where Veeam Backup & Replication deploys the Veeam Transport Service for data movement purposes, meaning that the libcurl file contained in the VDDK libraries will also be found on servers holding these roles:
Mitigation involves the removal of VDDK, which contains the libcurl library, from machines where it is not needed. It is crucial that VDDK not be removed from any machine with a role that requires the capability to communicate with the VMware vSphere environment.
Roles where VDDK must not be removed as it would impact the ability to communicate with the VMware vSphere environment:
Please note that the presence of VDDK on any other Veeam components or on protected machines that do not carry the above roles does not represent even a theoretical threat because VDDK is never used or called from the Veeam code on those machines.
If you have any questions or concerns, please do not hesitate to create a Veeam Support case.
For each machine that your security software has alerted to the presence of the libcurl library:
To remove the VDDK libraries on a Linux machine, use the following command:
To remove the VDDK libraries from a Windows machine, use the following commands:
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case