Veeam Security Advisory Service Provider Console Resolved Vulnerability (CVE-2024-29212 )
Company encourages service providers using supported versions of Veeam Service Provider Console (versions 7 and 8) to update to latest cumulative patch.
This is a Press Release edited by StorageNewsletter.com on May 15, 2024 at 2:01 pmVeeam Software, Inc. had published a security advisory concerning the Veeam Service Provider Console.
| KB ID: | 4575 |
| Product: | Veeam Service Provider Console | 4.0 | 5.0 | 6.0 | 7.0 | 8.0 |
| Published: | 2024-05-07 |
| Last modified: | 2024-05-08 |
Article applicability
This article documents a vulnerability discovered in Veeam Service Provider Console.
This vulnerability does not affect other Veeam products (e.g., Veeam Backup & Replication, Veeam Agent for Microsoft Windows, Veeam ONE).
Issue detail:
-
CVE-2024-29212
Due to an unsafe deserialization method used by the Veeam Service Provider Console (VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.
This vulnerability was detected during internal testing.
Severity: Critical
CVSS v3.1 Score: 9.9
Solution
The vulnerability documented in this article was fixed starting in the following builds of Veeam Service Provider Console:
Critical update
The company encourage service providers using supported versions of Veeam Service Provider Console (versions 7 and 8) to update to the latest cumulative patch. Service Providers using unsupported versions are strongly encouraged to upgrade to the latest version of Veeam Service Provider Console.
Subscribe to our free daily newsletter
