Veeam ONE: Hotfix for critical vulnerabilities is available 

B2B Cyber ​​Security ShortNews

Share post

Veeam is informing its users about two critical and two medium vulnerabilities in Veeam One for which patches are already available. The critical gaps have a CVSS v3 value of 9.9 and 9.8 out of 10. Those responsible should therefore act immediately.

The vulnerabilities with the code CVE-2023-38547 and CVE-2023-38548 describe a high level of danger in Veeam ONE. The following versions are affected:

  • Veeam ONE 12 P20230314 (12.0.1.2591)
  • Veeam ONE 11a (11.0.1.1880)
  • Veeam ONE 11 (11.0.0.1379)

Two critical vulnerabilities in Veeam One

The first vulnerability CVE-2023-38547 with a CVSS v3.1: 9.9 in Veeam ONE allows an unauthenticated user to obtain information about the SQL Server connection that Veeam ONE uses to access its configuration database. This can lead to remote code execution on the SQL server that hosts the Veeam ONE configuration database.

The second vulnerability CVE-2023-38548 with CVSS v3.1 score: 9.8 in Veeam ONE allows an unprivileged user who has access to the Veeam ONE Web Client to have the ability to steal the NTLM hash of the file used by the Veeam ONE Reporting Service to retrieve the account.

The two medium vulnerabilities CVE-2023-38549 and CVE-2023-41723 have a CVSS v3.1 score of 4.5 and 4.3 and should also be patched. They have the following vulnerabilities: A vulnerability in Veeam ONE allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role via XSS. The second vulnerability allows a user in Veeam ONE with the Veeam ONE Read-Only User role to view the dashboard schedule.

Special release notes for Veeam Recovery Orchestrator

Veeam One is a component of Veeam Recovery Orchestrator – formerly known as Veeam Disaster Recovery Orchestrator or Veeam Availability Orchestrator. Customers using the following versions of Orchestrator should install the embedded Veeam ONE build hotfix from this article.

  • Veeam Recovery Orchestrator 6 P20230419 uses Veeam ONE 12 P20230314 (Build 12.0.1.2591).
    Note:  Veeam Recovery Orchestrator 6 GA ships with Veeam ONE 12.0.0.2498, which is not compatible with this hotfix. Check which version of Veeam ONE is installed; If 12.0.0.2498 is installed, update Veeam Recovery Orchestrator as documented in KB4437 .
  • Veeam Disaster Recovery Orchestrator 5 uses Veeam ONE 11a (Build 11.0.1.1880)
  • Veeam Availability Orchestrator 4 uses Veeam ONE 11 (Build 11.0.0.1379)
More at Veeam.com

 


About Veeam

Veeam offers companies resiliency through data security, data recovery and data freedom for their hybrid cloud. Veeam Data Platform offers a single solution for cloud, virtual, physical, SaaS and Kubernetes environments, giving businesses the confidence that their applications and data are protected and always available to keep their businesses running.


 

Matching articles on the topic

Researchers find 26 billion access data on the web

A package with 26 billion data records containing access data appeared online. It is said to contain user access data at many companies ➡ Read more

Data offering: Every third company appears on the dark web

In the last two years, one in three companies worldwide have offered compromised data for sale on the dark web. A big ➡ Read more

Fast food chain Subway probably victim of Lockbit

Many sources indicate that the Subway company was the victim of a cyberattack by LockBit. The operator Subway is there ➡ Read more

Outlook: Calendar entry can steal password

There is a new vulnerability in Outlook and three ways to access NTLM v2 hashed passwords. Access can be achieved through the calendar function ➡ Read more

Russian APT group attacked Microsoft 

According to its own information, Microsoft was attacked by Midnight Blizzard on January 12, 2024. The Russian-sponsored actors had ➡ Read more

Many German chambers of crafts remain offline

The IT service provider ODAV was the victim of a cyber attack at the beginning of January. Because the service provider provides many services for the German Chamber of Crafts ➡ Read more

Security awareness against phishing attacks

The increasing spread of deepfake and AI technologies poses a serious threat, particularly in the area of ​​phishing attacks. These technologies enable ➡ Read more

Cat and mouse game in IT security

Looking back at 2023, we can see that the topic of AI has had a significant impact on IT security. That will too ➡ Read more