CVE-2023-38547 | CVE-2023-38548
CVE-2023-38549 | CVE-2023-41723
Issue Details
CVE-2023-38547
A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database.
Affected Version(s)*: Veeam ONE 11, 11a, 12
Severity: Critical
CVSS v3.1: 9.9
CVE-2023-38548
A vulnerability in Veeam ONE allows an unprivileged user who has access to the Veeam ONE Web Client the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.
Affected Version(s)*: Veeam ONE 12
Severity: Critical
CVSS v3.1 score: 9.8
CVE-2023-38549
A vulnerability in Veeam ONE allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role through the use of XSS.
Note: The criticality of this vulnerability is reduced as it requires interaction by a user with the Veeam ONE Administrator role.
Affected Version(s)*: Veeam ONE 11, 11a, 12
Severity: Medium
CVSS v3.1 score: 4.5
CVE-2023-41723
A vulnerability in Veeam ONE allows a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule.
Note: The criticality of this vulnerability is reduced because the user with the Read-Only role is only able to view the schedule and cannot make changes.
Affected Version(s)*: Veeam ONE 11, 11a, 12
Severity: Medium
CVSS v3.1 score: 4.3
*Vulnerability testing was only performed using actively supported versions of Veeam ONE.
Solution
A hotfix to resolve these vulnerabilities is available for the following versions:
- Veeam ONE 12 P20230314 (12.0.1.2591)
- Veeam ONE 11a (11.0.1.1880)
- Veeam ONE 11 (11.0.0.1379)
Veeam Recovery Orchestrator (formerly known as Veeam Disaster Recovery Orchestrator or Veeam Availability Orchestrator) utilizes an embedded deployment of Veeam ONE.
Customers using the following versions of Orchestrator should install the embedded Veeam ONE build's hotfix from this article.
- Veeam Recovery Orchestrator 6 uses Veeam ONE 12 P20230314 (build 12.0.1.2591)
- Veeam Disaster Recovery Orchestrator 5 uses Veeam ONE 11a (build 11.0.1.1880)
- Veeam Availability Orchestrator 4 uses Veeam ONE 11 (build 11.0.0.1379)
Download Information
The hotfixes below were built for the specific Veeam ONE build numbers listed.
If a hotfix package intended for a specific build number is deployed on a Veeam ONE server that does not have that matching build installed, the Veeam ONE Reporting Service will fail to start.
Review the steps in the deployment section, and head the advice to double-check which Veeam ONE build is installed before applying the hotfix.
Check Veeam ONE Build Number
Before downloading the hotfix, check which version of Veeam ONE is installed using one of the methods below:
- Check under Help > About in the Veeam ONE Client.
- Check within Apps and Features or Progams and Features (Appwiz.cpl).
- Run the following command on the Veeam ONE server:
Get-Package -name "Veeam ONE*"Download Hotfix That Matches Installed Build Number
4BA7E812769F0C4FB98331E20B498C01SHA1:
1604B837E25041D863B432A6C3D1EE12E640ED62
0DCDD67FE151FFC8242469B75AED3025SHA1:
1AFB3B762BF46B76337A94D30066EA7F3AABBCB1
93B87925C4AFB030DDA6388DF31E5984SHA1:
74AD4B5A18A16276F74043F3098D6ED6132C97D0
Deployment Information
- Verify the version of Veeam ONE installed using one of the methods below:
- Check under Help > About in the Veeam ONE Client.
- Check within Apps and Features or Progams and Features (Appwiz.cpl).
- Run the following command on the Veeam ONE server:
Get-Package -name "Veeam ONE*"- Download the hotfix package that matches the installed Veeam ONE build number.
- Stop the following services on the Veeam ONE server:
- Veeam ONE Monitoring Service
- Veeam ONE Reporting Service
- Replace the existing files with the files provided in the hotfix.
Note: The contents of the hotfix zip match the folder structure of the Veeam ONE Reporter ServerDefault location:
C:\Program Files\Veeam\Veeam ONE\ folder. The hotfix files must be placed in the folders that match the folder within the hotfix zip.
- DLLs in the root of the hotfix zip go in: C:\Program Files\Veeam\Veeam ONE\Veeam ONE Reporter Server\
- Veeam.Reporter.GrpcService.dll
- Veeam.Reporter.WebApiService.dll
- Veeam.Reporter.PackInstaller.dll
- Veeam.Reporter.GrpcShared.dll
This file is only in the hotfix for 12.0.1.2591, as it is related to the vulnerability that only affects Veeam ONE version 12.
- Files in the Collecting folder within the hotfix go in: C:\Program Files\Veeam\Veeam ONE\Veeam ONE Reporter Server\Collecting\
- Veeam.Retriever.exe
- Veeam.Reporter.GrpcShared.dll
This file is only in the hotfix for 12.0.1.2591, as it is related to the vulnerability that only affects Veeam ONE version 12.
- Veeam.Retriever.exe
- Files in the Reporting folder within the hotfix go in: C:\Program Files\Veeam\Veeam ONE\Veeam ONE Reporter Server\Reporting\
- Veeam.Reporter.Reporting.exe
- Veeam.Reporter.GrpcShared.dll
This file is only in the hotfix for 12.0.1.2591, as it is related to the vulnerability that only affects Veeam ONE version 12.
- Veeam.Reporter.Reporting.exe
- DLLs in the root of the hotfix zip go in: C:\Program Files\Veeam\Veeam ONE\Veeam ONE Reporter Server\
- Start the services stopped in Step 3.
If you have any questions or require assistance, please create a Veeam Support case.
More Information
The vulnerabilities associated with CVE-2023-38547, CVE-2023-38548, and CVE-2023-38549 were reported by Jarmo Puttonen(@putsi).
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.