We are pleased to announce the eleventh generation of our industry leading software has been released! You can now experience all the latest innovations designed to provide you with a business advantage. Upgrading to the latest version provides many new features and usability enhancements.
- Save time by upgrading to the latest version now, rather than upgrading to an older version, and then upgrading again to the latest version at another time.
- Immediately benefit from all the new features and enhancements in the latest version.
- Version 9 clients are fully supported in a CommCell environment with the latest software, so it is not necessary to immediately upgrade all clients.
To learn more about the next generation of our software, see What's New.
Leap Year Support
Commvault software has been extensively tested and certified to provide leap year support. Note: if a monthly job is scheduled to run on a date that a month does not have, the job runs on the last day of that month. For instance, jobs scheduled to run on the thirtieth of each month will run on February 29 in a leap year, or February 28 in other years. For more information about scheduling jobs, see Scheduling - Getting Started.
Oracle has discovered an issue with some versions of their Java software. This issue prevents the CommCell Console from starting when it is accessed as a web-based application. To avoid this issue, do not install Java 8 Update 72, 74, 77, or later (versions 1.8.0_72, 1.8.0_74, 1.8.0_77, or later).
Cross-protocol attack on TLS on OpenSSL using SSLv2 (DROWN)
We have reviewed the OpenSSL Security Advisory posted on March 1, 2016, and can report that our firewall code uses TLS 1 and therefore is unaffected by this potential vulnerability.
For Commvault Web Console or Web Server, ensure that you are using the latest version of Microsoft IIS or Apache Tomcat, and that SSLv2 is disabled. Refer to the following articles for more information:
Linux Kernel Vulnerability Posted by NVD
Our engineering team has reviewed the NVD posting regarding a potential vulnerability in the Linux kernel before 4.4.1, as well as the response by RedHat. Based on our review, we can report that Commvault does not use this API in our backup and recovery code, and our File Recovery Enabler for Linux uses Centos 6.x kernels, and thus our software is not vulnerable to this potential threat.
Hotfix Available for Vulnerability Posted by Software Engineering Institute – CERT Division
Commvault acts swiftly on all security risks to verify the authenticity of the risk and any required resolution of that risk for all supported versions of our software. Our engineering team has reviewed the CERT posting and we have identified a potential security vulnerability in the Web Console through our own testing. At this time, there have been no customer reports of this issue.
To address this issue, apply one of the following Hotfixes:
- V10 SP12: SP12-HotFix 18 LoginCookieSecurityFix WinX64
- V10 SP11: SP11-HotFix 56 LoginCookieSecurityFix10sp11 WinX64
- V10 SP10: SP10-HotFix 79 LoginCookieSecurityFixV10sp10 WinX64
For more information about downloading and installing updates, see Updates and Service Packs - Overview.
Network Time Protocol (NTP) Software Security Vulnerabilities
Questions have arisen concerning Simpana software’s exposure to recently announced Network Time Protocol (NTP) software security vulnerabilities. Any exposure is limited to an appliance Linux virtual machine provided for live browse of backups of UNIX VMs. NTP software patched to the latest NTP 2.4.8 version is installed on the Linux VM, and while it is disabled by default because Simpana software does not use NTP for any of its functionality, we recommend that you apply all applicable security updates for NTP if you are running a version of NTP older than 2.4.8.
Because time synchronization is essential to network-based applications, we recommend all applicable security updates for network, operating system, and application software be applied to all CommVault software hosts as recommended by vendors.
For more information about NTP vulnerabilities, see http://support.ntp.org/bin/view/Main/SecurityNotice.
GHOST (CVE-2015-0235) - Critical glibc Vulnerability in Linux
The GHOST vulnerability in Linux operating systems affects the gethostbyname() and gethostbyname2() function calls in the glibc library, which can allow a remote attacker to make an application call to either of these functions to execute arbitrary code. Any application performing DNS resolution using these two function calls in the glibc library is affected. Since Simpana Services communicate over the network, these routines may be invoked directly or indirectly on computers with a Linux operating system.
All customers are urged to immediately update/patch any computers running Linux as soon as possible and follow the security recommendations from the Linux vendor to address this vulnerability:
- Contact the Linux vendor for the latest version of glibc, and update glibc on all Linux computers.
- After updating, restart the computer.
- Restart Simpana Services.
Additionally, for virtual machines with File Recovery Enabler for Linux installed, do the following:
- Update an existing File Recovery Enabler for Linux by running “yum update” on a root shell.
- Restart the virtual machine.
- Restart Simpana Services.
To install a new File Recovery Enabler for Linux, download the patched version, FBRTemplate64.ova - File Recovery Enabler for Linux (FRE) with SP9 (patched for GHOST & NTP vulnerabilities) from the Cloud Services site or from Maintenance Advantage. For detailed installation instructions, see Deploying the File Recovery Enabler.
Some OpenSSL versions are vulnerable to attack. Recent news articles have revealed vulnerabilities for some versions of OpenSSL to the Heartbleed Bug, Man-In-the-Middle (M-I-T-M) attack, and others. Simpana software is routinely tested for security threats and none of these issues related to OpenSSL are found applicable.
As of version 10 SP9, Simpana software uses OpenSSL version 1.0.1j, which is not affected by the Heartbleed bug. Moreover, the usage of OpenSSL by Simpana software is on the client side and thus not susceptible to most of the server based attacks.
As of version 10 SP7 and version 9.0 SP14, Simpana software uses OpenSSL version 1.0.0. These versions are not affected by the Heartbleed bug. However, if your IT policy mandates using a newer version of OpenSSL with Simpana software, you can do so by installing the following updates:
- For Simpana Software version 10: Service Pack 9 (OpenSSL 1.0.1j)
- For Simpana Software version 9.0: Update 46852 (Open SSL 1.0.1h)
This update can be installed over any Service Pack on this release, and it is available from the Software Store.
OpenSSL Security Advisory dated 3 Dec 2015 - Update 4 Dec 2015
OpenSSL vulnerabilities CVE-2015-1794, CVE-2015-3193, CVE-2015-3194, and CVE-2015-3195 as described in OpenSSL.org's Security Advisory do not affect Simpana software.
For VMware using ESXi 6.0 EP6 (build 3825889), incremental backups that use application quiescing are equivalent to Full Backups
A known issue with VMware ESXi 6.0 EP6 (build 3825889) causes Changed Block Tracking (CBT) to return all blocks for a virtual disk, resulting in backups that are the total size of the virtual disk. This affects backup applications, including Simpana® , when incremental backups are run using application consistent quiescing with CBT, for guest virtual machines running Windows 2008 or later.
Note: This issue does not result in data loss, but does increase the size and running time of incremental backups.
For more information and workarounds, see the VMware KB article After upgrading to ESXi 6.0 Build 3825889, incremental virtual machine backups effectively run as full backups when application consistent quiescing is enabled (2145895).
Hotfix to Address Potential Data Loss with ESXi 6.0 and Incomplete Incremental Backups Using Changed Block Tracking
VMware has identified an issue in a VMware CBT API call that can affect backups for virtual machines hosted on ESXi 6.0, ESXi 6.0u1, or ESXi 6.0u1a. The API call can return incorrect changed sectors, causing incomplete incremental backups.
VMware has issued a patch to resolve this issue:
After installing the VMware patch and rebooting the host, do one of the following:
- If you previously installed one of the following Commvault HotFixes to address this issue, the next backup will use CBT. The next incremental backup will protect any blocks that have changed since the last full CBT backup.
- If you have not applied a Commvault HotFix, previous CBT incremental backups might not be valid, and you should perform a full backup to ensure that you are protected against data loss.
For more information, see the VMware KB article Backing up a Changed Block Tracking enabled virtual machine in ESXi 6.0.x returns incorrect changed sectors (2136854).
Support for VMware vSphere 6.0
Version 6.0 of VMware vSphere, vCenter, vCenter Server Appliance, ESXi, and Virtual Disk Development Kit (VDDK) is now supported with the Virtual Server Agent (VSA) for VMware and IntelliSnap for VMware. VMware vSphere 6.0 includes support for virtual machine hardware versions 7, 8, 9, 10, and 11.
For more information about vSphere 6.0, see VMware vSphere 6 Documentation.
Note: With VDDK 5.5 and later, 32-bit libraries and binaries are no longer supported. VDDK 5.1 can be used with existing 32-bit VSA proxies.
Deprecation and End-of-Life
Exchange Mailbox Archiver
This product is now available as Simpana OnePass for Exchange Mailbox.
- Exchange Mailbox Archiver Agent reached end-of-life October 2015.
- After this agent has reached end-of-life:
- No more changes or fixes for this agent will be supported in Simpana version 10 and earlier.
- Only recovery jobs will be supported in future releases of Simpana, and no archive jobs will be allowed.
- If you have Exchange Mailbox Archiver Agent installed on an existing client, we recommend that you transition to Simpana OnePass for Exchange Mailbox as described in Transitioning from Traditional Archiver to Simpana OnePass for Exchange Mailbox.
- New installations of Exchange Mailbox Archiver Agent are no longer supported.
If you plan to upgrade to the current version, see Upgrading - Exchange Mailbox Archiver Agent.