Veeam has put out a security advisory to address multiple vulnerabilities in the Veeam recovery orchestrator.

CVE-2024-22021

Vulnerability CVE-2024-22021 allows a Veeam Recovery Orchestrator user with a low privileged role (Plan Author) to retrieve plans from a Scope other than the one they are assigned to.

Affected Version(s)*:

• Veeam Recovery Orchestrator 6
• Veeam Disaster Recovery Orchestrator 5
• Veeam Availability Orchestrator 4

Severity: Medium CVSS v3.1 score: 4.5

CVE-2024-22022

Vulnerability  CVE-2024-22022 allows a Veeam Recovery Orchestrator user that has been assigned a low-privileged role to access the NTLM hash of the service account used by the Veeam Orchestrator Server Service.

Affected Version(s)*:

• Veeam Recovery Orchestrator 6
• Veeam Disaster Recovery Orchestrator 5
• Veeam Availability Orchestrator 4

Severity: High CVSS v3.1 score: 8.8

• Veeam Recovery Orchestrator 6
• Veeam Disaster Recovery Orchestrator 5
• Veeam Availability Orchestrator 4

• Vulnerability CVE-2024-22021 allows a Veeam Recovery Orchestrator user with a low privileged role (Plan Author) to retrieve plans from a Scope other than the one they are assigned to.
• Vulnerability  CVE-2024-22022 allows a Veeam Recovery Orchestrator user that has been assigned a low-privileged role to access the NTLM hash of the service account used by the Veeam Orchestrator Server Service.

Administrators are recommended to review both CVE and perform the necessary upgrade to the version mentioned below.

- The vulnerabilities documented in this article are already fixed in Veeam Recovery Orchestrator version 7.

- Customers are advised to upgrade to the latest Veeam Recovery Orchestrator version.

- Upgrade to Veeam Recovery Orchestrator 7