Veeam is informing its users about two critical and two medium vulnerabilities in Veeam One for which patches are already available. The critical gaps have a CVSS v3 value of 9.9 and 9.8 out of 10. Those responsible should therefore act immediately.
The vulnerabilities with the code CVE-2023-38547 and CVE-2023-38548 describe a high level of danger in Veeam ONE. The following versions are affected:
- Veeam ONE 12 P20230314 (12.0.1.2591)
- Veeam ONE 11a (11.0.1.1880)
- Veeam ONE 11 (11.0.0.1379)
Two critical vulnerabilities in Veeam One
The first vulnerability CVE-2023-38547 with a CVSS v3.1: 9.9 in Veeam ONE allows an unauthenticated user to obtain information about the SQL Server connection that Veeam ONE uses to access its configuration database. This can lead to remote code execution on the SQL server that hosts the Veeam ONE configuration database.
The second vulnerability CVE-2023-38548 with CVSS v3.1 score: 9.8 in Veeam ONE allows an unprivileged user who has access to the Veeam ONE Web Client to have the ability to steal the NTLM hash of the file used by the Veeam ONE Reporting Service to retrieve the account.
The two medium vulnerabilities CVE-2023-38549 and CVE-2023-41723 have a CVSS v3.1 score of 4.5 and 4.3 and should also be patched. They have the following vulnerabilities: A vulnerability in Veeam ONE allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role via XSS. The second vulnerability allows a user in Veeam ONE with the Veeam ONE Read-Only User role to view the dashboard schedule.
Special release notes for Veeam Recovery Orchestrator
Veeam One is a component of Veeam Recovery Orchestrator – formerly known as Veeam Disaster Recovery Orchestrator or Veeam Availability Orchestrator. Customers using the following versions of Orchestrator should install the embedded Veeam ONE build hotfix from this article.
- Veeam Recovery Orchestrator 6 P20230419 uses Veeam ONE 12 P20230314 (Build 12.0.1.2591).
Note: Veeam Recovery Orchestrator 6 GA ships with Veeam ONE 12.0.0.2498, which is not compatible with this hotfix. Check which version of Veeam ONE is installed; If 12.0.0.2498 is installed, update Veeam Recovery Orchestrator as documented in KB4437 . - Veeam Disaster Recovery Orchestrator 5 uses Veeam ONE 11a (Build 11.0.1.1880)
- Veeam Availability Orchestrator 4 uses Veeam ONE 11 (Build 11.0.0.1379)
About Veeam Veeam offers companies resiliency through data security, data recovery and data freedom for their hybrid cloud. Veeam Data Platform offers a single solution for cloud, virtual, physical, SaaS and Kubernetes environments, giving businesses the confidence that their applications and data are protected and always available to keep their businesses running.