Report a Security Vulnerability
To report a new vulnerability, click here.
Security Advisories
CV_2023_05_1: Volt Typhoon Advisory
Advisory ID: CV_2023_05_1
Issued On: May 26, 2023
Updated On: May 26, 2023
Severity: Critical
Affected Products
With the recent announcement of the Volt Typhoon cyber campaign, our team has conducted a thorough security assessment of Commvault and Metallic services and have found no impact to the security, privacy, or integrity of your data backups.
Resolution
We also recommend you to check your Commvault and Metallic environment to ensure security controls such as the following are active:
MFA is properly configured and up to date
Dual authorization workflows are in place for backup and restore operations
Compliance locks are enabled for services, apps, and backup destinations
Additionally, for customers looking for an extra layer of protection, we encourage you to evaluate ThreatWise, capable of surfacing zero-day and unknown threats in production environments.
CV_2022_10_2: Remote Memory Corruption Vulnerability in OpenSSL
Advisory ID: CV_2022_10_2
External Reporting ID: CVE-2022-2274
Issued On: October 31, 2022
Updated On: October 31, 2022
Severity: Critical
Affected Products
The vulnerability does not affect Commvault products.
Resolution
CVE-2022-2274 affects OpenSSL 3.0 and above versions. Commvault uses OpenSSL version 1.1.1, which is not affected by this vulnerability. This includes all Commvault Software, HyperScale X, ThreatWise, and Commvault Distributed Storage (CDS) packages that are not affected by this vulnerability.
CV_2022_10_1: Remote Code Execution Vulnerability in Apache Common Text
Advisory ID: CV_2022_10_1
External Reporting ID: CVE-2022-42889
Issued On: October 18, 2022
Updated On: October 18, 2022
Severity: High
Affected Products
The vulnerability does not affect Commvault products.
Resolution
As a precautionary measure, we have upgraded the Apache Commons Text version in our product.
Download and install the following maintenance releases for your Feature Release on the affected client computers. For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.
CV_2022_04_1: Remote Code Execution Vulnerability in the Spring Framework
Advisory ID: CV_2022_04_1
External Reporting ID: CVE-2022-22963, CVE-2022-22965
Issued On: April 01, 2022
Updated On: April 01, 2022
Severity: High
Affected Products
The vulnerability does not affect Commvault products.
Resolution
As stated in the Spring.io blog, if the application is deployed as a Spring Boot executable jar, which is the default jar, it is not vulnerable to the exploit. Commvault internally uses the Message Queue application, which includes the default Spring Boot executable jar that is not vulnerable to the exploit.
As a precaution, we have upgraded the Message Queue application, Oracle and Microsoft SQL agents to the version recommended by Spring.io.
Download and install the following maintenance releases for your Feature Release on the affected client computers. For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.
Feature Release | Maintenance Release |
|---|---|
11.26 | |
11.25 | |
11.24 | |
11.23 | |
11.20 | |
SP16 |
CV_2022_01_1: Local Privilege Escalation Vulnerability in Polkit's pkexec Utility
Advisory ID: CV_2022_01_1
External Reporting ID: CVE-2021-4034
Issued On: January 29, 2022
Updated On: January 29, 2022
Severity: High
Affected Products
The vulnerability may affect the Commvault Hyperscale products.
Resolution
To fix this vulnerability, install the February 2022 Operating System updates on the Hyperscale nodes. You do not require to install maintenance releases.
For more information, see the following:
Installing Updates on HyperScale X Appliance
Installing Updates on HyperScale X Reference Architecture
Installing Operating System Updates for Hyperscale 1.5 Appliance
Installing Operating System Updates for Hyperscale 1.5 Reference Architecture
CV_2021_12_1: Vulnerability in Apache Log4j Logging Libraries Impacting Commvault Products
Advisory ID: CV_2021_12_1
External Reporting IDs: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, CVE-2021-44832
Issued On: December 11, 2021
Updated On: February 01, 2022
Severity: Critical
Version: 6.0
Affected Products
The vulnerability may affect the following Commvault products:
Cloud Apps package
Oracle agent - Database archiving, data masking, and logical dump backup
Microsoft SQL Server agent - Database archiving, data masking, and table level restore
Commvault Distributed Storage
HyperScale X Appliance and Reference Architecture
Resolution
An update has been issued to remove log4j 1.x version and replace any older log4j versions with log4j 2.17.1 version on the affected Commvault packages.
Download and install the following maintenance releases for your feature release on the affected client computers. For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.
The version of Apache Log4j included with the following maintenance releases are not vulnerable to the CVEs listed in this security advisory. Additionally, the log4j-over-slf4j binaries included with the platform are not vulnerable to the CVEs listed in this security advisory as outlined here: https://www.slf4j.org/log4shell.html. log4j-over-slf4j is a bridge library that removes a dependency on log4j. That library, and any other library with "log4j-over-slf4j" in its name, is usually used to help people quickly migrate from log4j to another logging implementation. It works by adding an API that mimics the signatures for log4j’s logging functions, and then routes those calls to slf4j instead, which in turn routes them to whatever logging implementation you are actually using.
Older versions of Log 4j 1versions 1.2 and 2.3 are automatically cleaned up from the installation when the you upgrade the clients to the following maintenance release versions:
Feature Release | Maintenance Release |
|---|---|
11.26 | |
11.25 | |
11.24 | |
11.23 | |
11.20 | |
SP16 |
To upgrade the Commvault Distributed Storage (CDS) package, download and install Hedvig Release 4.5.3 from the Commvault Store. For more information, see Upgrading Clusters Non-disruptively.
To upgrade the Commvault HyperScale X software, install the operating system updates on the Hyperscale nodes. For more information, see the following:
Installing Updates on HyperScale X Appliance
Installing Updates on HyperScale X Reference Architecture
Note: Although Commvault v10 products are not affected by this vulnerability, we highly recommend that you upgrade the v10 agents to the most recent v11 version of the software.
Also, see Log4j Files in Microsoft SQL Server 2019 Installations.
CV_2021_08_1: Authentication Bypass Vulnerabilities on CVWebService Endpoint
Advisory ID: CV_2021_08_1
External Reporting IDs: CVE-2021-34993, CVE-2021-34994, CVE-2021-34995, CVE-2021-34996, CVE-2021-34997
Issued On: August 08, 2021
Updated On: August 08, 2021
Severity: Medium
Version: 1.0
Description
The following security vulnerabilities were reported with Commvault’s CVWebService Web Server endpoint:
Authentication bypass on a subset of web server APIs allows unauthorized users to download files from the web server.
CommCell users that do not have administrator permissions can upload files to the Download Center or to Commvault App Studio.
Affected Products
This vulnerability affects the Commvault Web Server on Service Pack 16 and Feature Releases 11.20-11.24.
Resolution
To fix these vulnerabilities, download and install the following maintenance release (or a more recent release), for your Feature Release on the CommServe and Web Server.
Feature Release | Maintenance Release |
|---|---|
11.24 | 7 |
11.23 | 21 |
11.22 | 36 |
11.20 | 64 |
SP16 | 116 |
Acknowledgments
We acknowledge Trend Micro for reporting this issue to us.
CVE-2021-41303: Apache Shiro Spring Boot Improper Authentication
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
For more information, see CVE-2021-41303 Detail.
Note:
This vulnerability does not affect Commvault products.
No Commvault application that contains an affected Shiro library uses Spring Boot.
CVE-2022-22950: Spring Expression DoS Vulnerability
In Spring Framework versions 5.3.0 through 5.3.16, 5.2.0 through 5.2.19, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
For more information, see CVE-2022-22950 Detail.
Vulnerability with Carbon Black Software
The Carbon Black software interferes with the proper functioning of the Commvault software by locking up binaries.
As a work around, exclude the Commvault installation, job results, index cache, and data folders from monitoring.
Examples:
C:\Program Files\Commvault\ContentStore
C:\Program Files\Commvault\ContentStore\iDataAgent\JobResults
C:\Program Files\Commvault\ContentStore\index cache
E:\Data
Commvault Ransomware Protection Is Safe from RIPlace
The Commvault ransomware protection feature is not affected by the RIPlace bypass technique that was recently reported about in the news. For more information about RIPlace and Commvault, see Ransomware Protection Is Safe From RIPlace.
For more information about the Commvault ransomware protection feature, see Ransomware Protection.
Security Vulnerability With MongoDB Versions
Commvault has reviewed the security concerns with MongoDB versions as reported in CVE-2016-6494, and recommends that you upgrade the MongoDB instance installed by the Commvault software as described in the KB article SEC0019:Security Vulnerability Issues with MongoDB Versions.