Release Information for Veeam Backup & Replication 12.1 and Updates

Security

Vulnerabilities

^{Indicated severity values are CVSS 3.1 scores.}

Veeam Backup Enterprise Manager (VBEM)

• CVE-2024-29849 | Severity: Critical (9.8)
  This vulnerability in VBEM allows an unauthenticated attacker to log in to the VBEM web interface as any user.
• CVE-2024-29850 | Severity: High (8.8)
  This Vulnerability in VBEM allows account takeover via NTLM relay.
• CVE-2024-29851 | Severity: High (7.2)
  This vulnerability in VBEM allows a high-privileged user to steal the NTLM hash of the VBEM service account if that service account is anything other than the default Local System account.
• CVE-2024-29852 | Severity: Low (2.7)
  This vulnerability in VBEM allows high-privileged users to read backup session logs.

Veeam Agent for Windows (VAW)

• CVE-2024-29853 | Severity: High (7.8)
  This vulnerability in VAW allows for Local Privilege Escalation.

Third-Party Components

• VMware Virtual Disk Development Kit (VDDK) is no longer directly integrated into the Veeam Transport component and is now only installed for backup infrastructure roles involved in vSphere interaction.
• VMware Virtual Disk Development Kit (VDDK) was updated to 7.0.3.4 to address CVE-2023-38545.
• Microsoft .NET 6.0.25 was updated to 6.0.29.
• Microsoft WebView2 was updated to 123.0.2420.81.
• PostgreSQL installer was updated to 15.6.1.
• PuTTY was updated to 0.81.
• Curl was updated to 8.5.

Hardened Repository

• Hardened repositories installed on RHEL 8/9 and Rocky 8/9 now support applying DISA STIG profiles.
   

New Features and Enhancements

Platform Support

• AlmaLinux 9.3 and Rocky 9.3 supported for use as Linux-based backup repositories and backup proxies.
• Microsoft Azure Stack HCI 23H2 (March 2024 build) support.
• Microsoft SharePoint Subscription Edition 24 H1 support for application-aware image processing.

General

• Improved VMware NBD (Network Transport Mode) transport mode performance by up to 2x.
• Backup Copy jobs now support using other backup copy jobs as a source for VMware, Cloud Director, and Hyper-V workloads.
• Reduced the performance impact of disk fragmentation on ReFS repositories with Integrity Streams disabled by removing the unneeded low-level file system call.
• Improved Veeam Backup Enterprise Manager data collection performance.
• Veeam AI Assistant window now leverages Markdown markup language for prettier output.
• Windows and Syslog events now contain the backup server’s build number.
• ZFS Block Cloning technology preview. This preview aims to allow Veeam enthusiasts to test the long-term stability and performance of this new ZFS capability. This functionality is currently not supported for production use (not even under Experimental Support terms) and, therefore, should only be used in test labs. For more information, please refer to this Veeam R&D Forum thread.

Malware Detection

• Added the ability to exclude specific file paths from suspicious file system activity analysis.
• Bulk Rename events will now create detailed logs with the list of affected files in the following location: C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\
• Malware detection-related Windows events and Syslog events now provide additional information such as object names, restore point timestamps, and backup server version.
• To reduce the number of false positives from the suspicious file system activity analysis engine, the threshold for the minimum number of modified or deleted files has been increased.
• The sensitivity settings of the proprietary ML malware detection model have been tuned to reduce false positives coming from the inline detection engine.
• To reduce confusion, the “Ransomware Note” malware detection event has been renamed to “Onion Links.”
• Onion links are now detected even in files that are 900 bytes or smaller in size, which NTFS stores directly in the MFT partition.
• Malware detection logs are now archived every week into dedicated zip packages.

Enterprise Applications

• Added support for network traffic encryption (configured in the Global Network Traffic rules dialog) for all application plug-ins.
• Veeam Plug-in for Oracle RMAN: multiple Oracle RAC and Oracle Exadata deployment scenario specific enhancements in response to real-world customer feedback.
• To simplify disaster recovery scenarios, the Db2 plug-in configuration tool now includes a command to get the list of available restore points with timestamps from Veeam Backup & Replication.
• The Microsoft SQL Server plug-in will now intercept errors during backup and recovery command execution and return these error codes to the SQL Server to ensure that the SQL Agent Jobs does not report false-successful results.
• Microsoft SQL Server plug-in will now use the latest version of the ODBC driver present in the system in cases when ODBC driver v17 is not present. You can also force the specific version usage through veeam_config.xml.
• Veeam Plug-in for SAP on Oracle: added support for Oracle Linux 8.

Object Storage

• Veeam Data Cloud Vault, a fully managed secure cloud object storage by Veeam, is now integrated directly into the user interface.
• Scale-out backup repositories now support multiple Performance Tier and Capacity Tier extents backed by Smart Object Storage API (SOSAPI) enabled object storage.
• AWS S3 and IBM Cloud Storage: The default generation period value was increased for AWS S3 and IBM Cloud Storage object storage repositories to minimize the number of API calls and reduce the total storage cost.
• Added support for the new AWS region: Canada West (Calgary).
• Lowered CPU consumption on the backup server during the checkpoint removal process.

Primary Storage

• IBM SVC: Default grainsize and rsize parameter values for creating IBM FlashCopy snapshots were changed to the values recommended by the vendor to improve backup from storage snapshots job performance.

Secondary Storage

• Dell Data Domain: Added support for DDOS 8.0.
• Dell Data Domain: The default DDBoost connection cache value was increased, and the cache itself was optimized to reduce the number of active connections significantly; improved backup performance to Scale-Out Backup Repository with a large number of Data Domain extents.

Security & Compliance Analyzer

• A new backup infrastructure check was added to ensure that the PostgreSQL instance hosting the configuration database has been configured with the recommended settings. These settings can be applied with the Set-VBRPSQLDatabaseServerLimits cmdlet.
• All service status validations now also check whether the checked services are running instead of only verifying their startup type.
• Improved the “Host to Proxy traffic encryption” test to cover additional backup proxy deployment scenarios.

Veeam Agents

• Veeam Agent for Windows 6.1.2.134:
  • Support for Metadata Service Version 2 for AWS machines added to Cloud Native protection groups.
• Veeam Agent for Linux 6.1.2.1781:
  • AlmaLinux 9.3 & 9.4, RHEL 9.4, Rocky 9.3 & 9.4, and Ubuntu 24.04 Linux distributions support.
  • Support for booting Recovery Media in a PXE environment.
  • Support for Metadata Service Version 2 for AWS machines added to Cloud Native protection groups. 
• Veeam Agent for Mac 2.1.2.464
  • Added the ability to exclude folders from backup.
  • Objects with the com.apple.metadata:com_apple_backup_excludeItem attribute are now automatically excluded from backup.
• Veeam Agent for Solaris 4.1.1.1423
  • Added Bare Metal Recovery support for the latest Solaris updates.
     

Resolved issues

General

• Processing rate values over 1GB/s are displayed as a whole number only. They will now be rounded to one decimal place.
• High RAM consumption on backup infrastructure components with a large number of CPU cores due to autoscaling the number of buffers according to core count.
• High RAM consumption by Veeam Catalog Service when processing machines containing more than 10 million files.
• High RAM consumption during support log bundle export activity.
• Marking backup as infected was not correctly applied to restore points created by CDP jobs.
• Restore from configuration backup fails when the File to Tape catalog contains over 1 billion records.
• Security & Compliance Analyzer treats Windows Firewall settings applied with a Group Policies Object (GPO) as not implemented best practice.
• Attempting to revoke a capacity-based license fails with the following error:
  This type of CollectionView does not support changes to its SourceCollection from a thread different from the Dispatcher thread.

VMware vSphere

• The maximum number of allowed simultaneous NFC connections has been reduced slightly to avoid jobs failing with “VDDK error 16000” in highly loaded vSphere environments.
• High RAM consumption on Linux backup proxies during backup from storage snapshots.
• Instant Recovery to VMware from a Nutanix AHV backup containing Ubuntu VM with LVMs disks fails to start the restored VM.
• The CDP failover wizard does not highlight intervals where malware activity was detected.

Microsoft Hyper-V

• Hyper-V CBT rescan generates unnecessary warnings for standalone SMB3 servers.
• Guest processing via PowerShell Direct fails when PowerShell 2.0 is uninstalled from the Hyper-V host and replaced with a newer version.

Cloud Director

• Self-Service Backup Portal: Job templates do not propagate 8MB block size selection to provisioned backup jobs.
• Veeam Plug-in for VMware Cloud Director: Plugin encounters a failure when interacting with the latest versions of Cloud Director (10.4.1 and higher) when deployed in a multisite environment.

Agent Management

• The managed by backup server jobs report displays incorrect backup size.
• Agent backup jobs to S3-compatible object storage repositories start failing on the configuration import step if the object storage certificate changes.

Unstructured Data Backup

• Backup I/O Control does not correctly apply the specified throttling settings in certain scenarios.
• Backup of open files hosted Windows Servers with the following error:

  Unable to backup \\?\. Unexpected content stream size.
  

• Deleting one of the file shares from a source backup results in the associated Backup Copy jobs moving existing backups to the Orphaned node.
• Backup Copy jobs attempt to copy incomplete restore points that are still being processed by a source backup job.
• Each health check task deploys a separate Helper Appliance, potentially resulting in a very large number of appliances created.
• Restoring an object storage bucket to its original location fails if the bucket has been removed from the source infrastructure.
• The max concurrent tasks prompt now bases its suggestion on both the RAM and CPU count of the backup proxy server, as opposed to core count only.

Backup Copy

• Backup Copy jobs may fail to process VM templates with the error:
  

  Cannot find the source backup for the object
  

SureBackup

• Some temporary files may erroneously remain in the virtual lab host’s datastores after SureBackup jobs are completed.
• Adjusted maximum allowed boot time setting in Hyper-V-based Virtual Labs for agent-based backups of Domain Controller.
• Advanced script settings are not applied to agent-based backup.

Tape

• The presence of agent-based backups with transaction log backups made the Backup to Tape jobs with the backup repository as scope fail with the following error:
  

  Sequence contains no matching element.
  

• Conflict with the source backup job resource locks may lead to successful tape jobs incorrectly marked as “Failed”.
• Querying the tape partition information fails for LTO3 and LTO4 tapes.
• Erasing tapes with an unknown block size is not possible.
• ANSI-encoded files could not be restored from File to Tape backup made from machines with the Japanese locale.

Primary storage

• Cisco Hyperflex: Storage rescan task and backup from storage snapshot fails on ESXi versions prior to 7.0.3.
• IBM FlashSystem: an empty volume group is left on the storage if a network problem occurs while a snapshot clone is being deleted.

Object storage

• The health check process erroneously attempts to verify restore points that have been offloaded to the Archive Tier.
• The checkpoint removal process may fail to resume loading Meta/Blocks/Checkpoints/metastore with the following error:
  

  S3 error: The specified version does not exist
  

• If the S3-compatible object storage fails to delete the temporary backup metadata, the subsequent  checkpoint repair processes fail with the error:

  Item is locked by a running session
  

• GFS checkpoint creation failure, followed by an unsuccessful repair attempt, causes backup jobs to fail with an access denied error.
• The Network.RetrieveSSLCertificate command does not timeout during the certificate revocation list check and, as a result, may hang indefinitely.
• Under certain circumstances, agents backing up directly to an object storage repository may hang on executing the Cloud.ReleaseLock command.
• Linux-based gateway servers may hang on the execution of the Cloud.CreateCheckpoint command against long and encrypted backup chains.
• Under rare circumstances, backup jobs pointed to an object storage repository may fail with the error:

  add_certificate_authority: cert already in the hash table
  

• The immutability update process appears to hang with no activity when processing long backup chains.

Scale-out Backup Repository

• The Capacity Tier Move policy incorrectly starts offloading full backup as soon as the corresponding restore point falls out of the operational restore window, thus affecting the restore performance of dependent incremental points that remain within the operation restore window and on Performance Tier.
• Removing an Archive Tier extent from a scale-out backup repository fails with the following error:
  

  Stored procedure execution failed
  

• Backups exported from the Archive Tier are downloaded to the Performance Tier, instead of remaining in object storage.
• Backups downloaded from Capacity Tier to a Performance Tier extent backed by a Linux, Dell Data Domain, or HPE StoreOnce backup repository does not utilize Fast Clone or Virtual Synthetic Full functionality.
• Backups created with a variable block size setting cannot be downloaded from a Capacity Tier to a Performance Tier extent backed by an HPE StoreOnce repository with a fixed block size setting enabled.

Veeam Cloud Connect

• The Get-VBRFailoverPlan and Get-VBRReplica cmdlets return empty sessions.
• Deleting a backup manually fails with the following error:

  Storage with id not found.
  

• Cloud gateway servers with more than two IP addresses configured may become unresponsive.
• Tenant backup quota’s usage is recalculated incorrectly after an agent-based backup chain transformation.
• Tenant Backup copy erroneously merges incomplete restore points instead of discarding them.

Enhancements

General

• PuTTy has been updated to version 0.80.

Malware Detection

• Malware detection based on file system activity analysis now creates a dedicated log file for each bulk file modification event to help you identify which files were removed or renamed. 
• The location of the corresponding log file is now displayed directly in the session logs and the event details.
• Added the ability to quickly and conveniently exclude all extensions that caused false-positive malware detection events from future monitoring directly from the event properties dialog.
  
  Note: Customers are advised to exclude extensions from monitoring only after verifying that a legitimate line of business application is producing the corresponding files.
• The monitored malware extensions management dialog was updated with an inline search capability that looks up the extension to ensure the correct syntax is used when excluding extensions from monitoring.

Backup Infrastructure

• Hardened repository servers and other managed Linux servers that were initially registered by leveraging single-use credentials no longer require enabling SSH Server and providing SSH credentials to perform Veeam components upgrade.

Resolved Issues

General

• Storage-level corruption guard email reports ignore the status-based event filter in the Global Email notification settings.
  
• Scan Backup does not leverage system locale settings and instead always displays the restore point date in the dd/mm/yyyy format.
• A rare condition of high CPU usage by the CatalogDataService.
• For configuration databases migrated from Microsoft SQL to PostgreSQL, job reports fail to open with the error:

  invalid XML content
  

Backup

• Disk blocks backing the swap file (pagefile.sys) are not excluded from backup when the corresponding option is enabled.
• Backup jobs fail to process VMs from two or more datastores backed by IBM SVC or derivative storage with FlashCopy snapshots enabled.

CDP

• In rare circumstances, CDP policies may experience a data loss.

Cloud Director

• Performing an "Entire VM Restore" with the option "Restore to a new location, or with different settings" performs a restore over the original VM despite a new VM name and vApp being selected in the restore wizard.

SureBackup

• SureBackup jobs are prevented from starting by a Transaction Log Backup Job, causing them to fail with the error:

  Cannot start Surebackup job to the latest restore point as some linked jobs are still running
  

• SureBackup jobs using Hyper-V-based virtual labs fail to process agent backups, displaying the error:

  Exception of type 'System.ArgumentOutOfRangeException' was thrown
  

• SureBackup jobs fail to start for certain machines, causing the error:

  The virtual machine cannot be powered on because the number of virtual CPUs is not a multiple of the number of cores per socket configured in the virtual machine
  

Object Storage

• Creating an object storage repository using Azure Storage with an Entra ID using a certificate for credentials fails with the error:

  Failed to initialize Azure token requester client with certificate credentials
  

• Offloading backups to an object storage repository backed by IBM Cloud fails with the error:

  Unable to find the specified file
  

Tape

• After upgrading to Veeam Backup & Replication 12.1, File-to-Tape job with no inclusion file mask specified process no data, whereas such configuration was previously treated as an implicit *.* inclusion mask.
• A Tape Job attempting to re-use a tape media that has been recently marked as available to use due to expired media pool retention may fail with the following error:

  The range specified in the FOR loop cannot have a NULL value
  

Setup

• NDMP tape jobs are erroneously included in the warning about File-to-Tape jobs requiring a license.
• Upgrading to version 12.1 from 11a fails if a File-to-Tape or NAS Backup job contains a folder with an apostrophe ( ' ) symbol in its name.