With the release of Veeam Backup & Replication 12.1.2, the VDDK libraries, which contained the libcurl library, are no longer included with the Veeam Transport package. After upgrading, the Veeam Transport Package on remote components will be updated, and the VDDK Library pack will only be deployed on components where it is needed (VMware Backup Proxies).
Additionally, Veeam Backup & Replication 12.1.2 included an updated VDDK library to address the libcurl (CVE-2023-38545) concern.
Impact: The solution section of this article has now been updated to advise that customers upgrade to the latest version of Veeam Backup & Replication.
The information below regarding VDDK library inclusion within the Veeam Transport Service is relevant only to versions of Veeam Backup & Replication older than version 12.1.2 (see notice at the top of this article for more information).
This Veeam KB article was created to address customers' concerns about the detection of libcurl by their security software on machines where the Veeam Transport Service is installed. Libcurl is a component of VMware VDDK (Virtual Disk Development Kit), which Veeam Backup & Replication redistributes to be able to protect VMware vSphere environments. Veeam Backup & Replication includes VDDK with the Veeam Transport Service package, which is deployed on managed machines for data movement purposes. A single Veeam Transport package is used for all situations where any portion of the Veeam Transport Services capabilities would be needed. Therefore, any server with the Veeam Transport Service installed will have VDDK libraries, regardless of whether the machine is part of a VMware vSphere backup infrastructure.
The information below regarding VDDK library inclusion within the Veeam Transport Service is relevant only to versions of Veeam Backup & Replication older than version 12.1.2 (see notice at the top of this article for more information).
Vulnerability detection software may issue false positive alerts based merely on the fact that the libcurl library file is present on a machine where the Veeam Transport Service has been deployed. Below is a list of component roles where Veeam Backup & Replication deploys the Veeam Transport Service for data movement purposes, meaning that the libcurl file contained in the VDDK libraries will also be found on servers holding these roles:
The solution is to upgrade to the latest version of Veeam Backup & Replication.
Starting with the release of Veeam Backup & Replication 12.1.2, the VDDK libraries, which contain the libcurl library, are no longer included with the Veeam Transport package. After upgrading, the Veeam Transport Package on remote components will be updated, and the VDDK Library pack will only be deployed on components where it is needed (VMware Backup Proxies).
Additionally, Veeam Backup & Replication 12.1.2 included an updated VDDK library to address the libcurl (CVE-2023-38545) concern.
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case