The vulnerability discussed in this article affects the Veeam Updater component within the backup appliances used by the listed applications. The updated version of this Veeam Updater component will have been published to the Veeam Repository alongside the release of this announcement. As automatic updates are enabled for all backup appliances associated with this issue, all actively supported backup appliance versions will automatically download and install this updated version of the Veeam Updater component.
Furthermore, for all applications other than Veeam Backup for Salesforce, the latest version of each appliance discussed in this article is unaffected by this vulnerability. This means that customers whose Veeam Backup & Replication deployments utilize these backup appliances are unaffected if they have already upgraded to version 12.3 and updated those backup appliances.
Note: Customers who do not use any of the applications listed in the Issue Details section are entirely unaffected by this vulnerability. For information about checking whether such backup appliances are managed by Veeam Backup & Replication, please refer to the More Information section.
A vulnerability within the Veeam Updater component that allows an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions.
Severity: Critical
CVSS v3.1 Score: 9.0CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Source: Reported by @putsi via HackerOne.
The following product's current release is affected by this vulnerability:
The following product's older releases utilize an older Veeam Updater component that was also found to be affected.
As noted below each entry, the most recent version of each of these appliances is not affected. Therefore, if Veeam Backup & Replication is running version 12.3, and the appliances for these applications have been updated, they will be running a current and unaffected version.
The vulnerability was resolved in Veeam Updater component version 7.9.0.1124.
Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.
View updates history, and check the Veeam Updater version shown in the top-right corner.
Note: If Veeam Backup & Replication 12.3 is installed, and the Veeam Backup for Nutanix AHV appliance has already been upgraded, the appliance is unaffected by this vulnerability.
The vulnerability was resolved in Veeam Updater component version 9.0.0.1125.
Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.
View updates history, and check the Veeam Updater version shown in the top-right corner.
Note: If Veeam Backup & Replication 12.3 is installed, and the AWS backup appliance has already been upgraded, the appliance is unaffected by this vulnerability.
The vulnerability was resolved in Veeam Updater component version 9.0.0.1126.
Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.
View updates history, and check the Veeam Updater version shown in the top-right corner.
Note: If Veeam Backup & Replication 12.3 is installed, and the Microsoft Azure backup appliance has already been upgraded, the appliance is unaffected by this vulnerability.
The vulnerability was resolved in Veeam Updater component version 9.0.0.1128.
Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.
View updates history, and check the Veeam Updater version shown in the top-right corner.
Note: If Veeam Backup & Replication 12.3 is installed, and the Google Cloud backup appliance has already been upgraded, the appliance is unaffected by this vulnerability.
The vulnerability was resolved in Veeam Updater component version 9.0.0.1128.
Checking for Updates using the built-in Veeam Updater to update the Veeam Updater component.
View updates history, and check the Veeam Updater version shown in the top-right corner.
Note: If Veeam Backup & Replication 12.3 is installed, and the Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization appliance has already been upgraded, the appliance is unaffected by this vulnerability.
The vulnerability was resolved in Veeam Updater component version 9.0.0.1127.
All Veeam Updater component versions equal to or higher than this are unaffected by this vulnerability.
Update the backup appliance from within the Veeam Backup & Replication Console.
To check which Veeam Updater component is used by the Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization appliance:
<log_bundle>/veeam/veeam-updater/updater.log
"Starting
.
Application : Veeam.Updater, Version=
".Starting log. Severity threshold: Information, LogFilesNumber = 10, LogFileMaxSize = 10 Mbs, ArchivesLimit = 10 ----------------------------------------------------------------------------------------------------------------- Release version : 11.0.0.754 Application : Veeam.Updater, Version=11.0.0.754, Culture=neutral, PublicKeyToken=null
Main.main: Version:
"MM.DD.YYYY HH:MM:SS [info ] ### [###] Main.main: ============= Starting ============= MM.DD.YYYY HH:MM:SS [info ] ### [###] Main.main: Version: 9.0.0.1087In this example the Veeam Updater build is less than the fixed build (9.0.0.1127) and would indicate that the Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization backup appliance needs to be updated.
If a Veeam Backup & Replication deployment is not protecting AWS, Google Cloud, Microsoft Azure, Nutanix AHV, or Oracle Linux VM/Red Hat Virtualization, such a deployment is not impacted by the vulnerability discussed in this article.
You can verify if Veeam Backup & Replication manages any of these affected backup appliances by checking the Backup Infrastructure > Managed Servers list for any of the following entry types:
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case