- 46/2024
- High
Veeam has released a security update to fix several vulnerabilities across multiple Veeam products.
The addressed vulnerabilities could allow the remote authenticated attacker to obtain sensitive information, such as plans from other scopes, or obtain the service account’s NTLM hash and use this information to launch further attacks against the affected system.
The addressed vulnerabilities:
1. Veeam Recovery/Disaster/ Availability Orchestrator Information Disclosure Vulnerability (CVE-2024-22022):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Obtain Information
2. Veeam Recovery/Disaster/ Availability Orchestrator Information Disclosure Vulnerability (CVE-2024-22021):
- CVSS: 6.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Obtain Information
Affected products:
- Veeam Recovery Orchestrator 6.
- Veeam Disaster Recovery Orchestrator 5.
- Veeam Availability Orchestrator 4.
Vulnerabilities
- CVE-2024-22022
- CVE-2024-22021
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.