Veeam ONE: Hotfix for critical vulnerabilities is available 

B2B Cyber ​​Security ShortNews

Share post

Veeam is informing its users about two critical and two medium vulnerabilities in Veeam One for which patches are already available. The critical gaps have a CVSS v3 value of 9.9 and 9.8 out of 10. Those responsible should therefore act immediately.

The vulnerabilities with the code CVE-2023-38547 and CVE-2023-38548 describe a high level of danger in Veeam ONE. The following versions are affected:

  • Veeam ONE 12 P20230314 (12.0.1.2591)
  • Veeam ONE 11a (11.0.1.1880)
  • Veeam ONE 11 (11.0.0.1379)

Two critical vulnerabilities in Veeam One

The first vulnerability CVE-2023-38547 with a CVSS v3.1: 9.9 in Veeam ONE allows an unauthenticated user to obtain information about the SQL Server connection that Veeam ONE uses to access its configuration database. This can lead to remote code execution on the SQL server that hosts the Veeam ONE configuration database.

The second vulnerability CVE-2023-38548 with CVSS v3.1 score: 9.8 in Veeam ONE allows an unprivileged user who has access to the Veeam ONE Web Client to have the ability to steal the NTLM hash of the file used by the Veeam ONE Reporting Service to retrieve the account.

The two medium vulnerabilities CVE-2023-38549 and CVE-2023-41723 have a CVSS v3.1 score of 4.5 and 4.3 and should also be patched. They have the following vulnerabilities: A vulnerability in Veeam ONE allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role via XSS. The second vulnerability allows a user in Veeam ONE with the Veeam ONE Read-Only User role to view the dashboard schedule.

Special release notes for Veeam Recovery Orchestrator

Veeam One is a component of Veeam Recovery Orchestrator – formerly known as Veeam Disaster Recovery Orchestrator or Veeam Availability Orchestrator. Customers using the following versions of Orchestrator should install the embedded Veeam ONE build hotfix from this article.

  • Veeam Recovery Orchestrator 6 P20230419 uses Veeam ONE 12 P20230314 (Build 12.0.1.2591).
    Note:  Veeam Recovery Orchestrator 6 GA ships with Veeam ONE 12.0.0.2498, which is not compatible with this hotfix. Check which version of Veeam ONE is installed; If 12.0.0.2498 is installed, update Veeam Recovery Orchestrator as documented in KB4437 .
  • Veeam Disaster Recovery Orchestrator 5 uses Veeam ONE 11a (Build 11.0.1.1880)
  • Veeam Availability Orchestrator 4 uses Veeam ONE 11 (Build 11.0.0.1379)
More at Veeam.com

 


About Veeam

Veeam offers companies resiliency through data security, data recovery and data freedom for their hybrid cloud. Veeam Data Platform offers a single solution for cloud, virtual, physical, SaaS and Kubernetes environments, giving businesses the confidence that their applications and data are protected and always available to keep their businesses running.


 

Matching articles on the topic

Curious: Malware developer gives himself away through mistakes

Exposing the Styx Stealer: How a hacker's slip-up led to the discovery of a huge amount of data on his own computer. The ➡ Read more

NIS2 Directive for cybersecurity in the EU

The introduction of the EU NIS2 Directive, which is to be implemented into national law by the Member States by October 2024, brings ➡ Read more

Best-of-breed for cybersecurity

History repeats itself, even in the area of ​​cybersecurity. There are cycles of consolidation and modularization. Currently, consolidation is again ➡ Read more

Webinar 17 September: Implementing NIS2 in a legally compliant manner

NIS2 Deep Dive: In a free, German-language webinar on September 17th from 10 a.m., a lawyer will explain how companies ➡ Read more

Vulnerability in the Google Cloud Platform (GCP)

An exposure management company announces that its research team has identified a vulnerability in the Google Cloud Platform (GCP) ➡ Read more

NIST standards for quantum security

The publication of the post-quantum standards by the National Institute of Standards and Technology (NIST) marks a decisive step forward in securing ➡ Read more

Cisco licensing tool with critical 9.8 vulnerabilities

Cisco reports critical vulnerabilities in the Cisco Smart Licensing Utility that achieve a CVSS score of 9.8 out of 10. These vulnerabilities ➡ Read more

Ransomware attacks: 6 out of 10 companies attacked

Bitkom has surveyed more than 1.000 companies in Germany: More than half of the companies are victims of ransomware attacks ➡ Read more