Security Vulnerability and Reporting

Report a Security Vulnerability

To report a new vulnerability, click here.

Security Advisories

CV_2024_01_1: Apache Struts 2 Vulnerability

Advisory ID: CV_2024_01_1

External Reporting ID: CVE-2023-50164

Issued On: Jan 22, 2024

Updated On: Jan 22, 2024

Severity: Critical

Affected Products

This vulnerability does not affect Commvault products.

Resolution

The Commvault software does not use Apache Struts and is unaffected by this vulnerability.

CV_2023_11_2: Heap Based Buffer Overflow Vulnerability in cURL

Advisory ID: CV_2023_11_2

External Reporting ID: CVE-2023-38545

Issued On: Nov 07, 2023

Updated On: Nov 07, 2023

Severity: Critical

Affected Products

This vulnerability does not affect Commvault products.

Resolution

As a precautionary measure, we will upgrade the cURL component in the product in an upcoming maintenance release.

CV_2023_11_1: Remote Code Execution Vulnerability in Apache ActiveMQ

Advisory ID: CV_2023_11_1

External Reporting ID: CVE-2023-46604

Issued On: Nov 06, 2023

Updated On: Nov 06, 2023

Severity: Critical

Affected Products

The vulnerability affects the Commvault Web Server.

Resolution

We have issued an update to replace the older versions of the Apache ActiveMQ component with version 5.18.3 on the Web Server.

To fix this vulnerability, install the following updates for the affected Platform Release on the Web Server:

Platform Release Minimum Maintenance Release Update Bundles
2023E 11.32.23
  • UpdateBundle_Build1108152_Form8457
  • UpdateBundle_Build1108152_Form8459
  • 2023 11.30.64
  • UpdateBundle_Build1108145_Form6573
  • UpdateBundle_Build1108145_Form6572
  • 2022E 11.28.83
  • UpdateBundle_Build1108141_Form5806
  • UpdateBundle_Build1108141_Form5807
  • CV_2023_10_1: Libwebp Vulnerability

    Advisory ID: CV_2023_10_1

    External Reporting ID: CVE-2023-4863

    Issued On: Oct 04, 2023

    Updated On: Oct 04, 2023

    Severity: Critical

    Affected Products

    We are aware that some third-party components that we use include the libwebp package. However, our initial analysis indicate that the vulnerability does not affect Commvault products.

    Resolution

    As a precautionary measure, we are monitoring the third-party components for any fixes. As and when we have an updated version of the third-party component, we will issue an update for the same.

    CV_2023_05_1: Volt Typhoon Advisory

    Advisory ID: CV_2023_05_1

    Issued On: May 26, 2023

    Updated On: May 26, 2023

    Severity: Critical

    Affected Products

    With the recent announcement of the Volt Typhoon cyber campaign, our team has conducted a thorough security assessment of Commvault and Metallic services and have found no impact to the security, privacy, or integrity of your data backups.

    Resolution

    We also recommend you to check your Commvault and Metallic environment to ensure security controls such as the following are active:

    • MFA is properly configured and up to date

    • Dual authorization workflows are in place for backup and restore operations

    • Compliance locks are enabled for services, apps, and backup destinations

    • Additionally, for customers looking for an extra layer of protection, we encourage you to evaluate ThreatWise, capable of surfacing zero-day and unknown threats in production environments.

    CV_2022_10_2: Remote Memory Corruption Vulnerability in OpenSSL

    Advisory ID: CV_2022_10_2

    External Reporting ID: CVE-2022-2274

    Issued On: October 31, 2022

    Updated On: October 31, 2022

    Severity: Critical

    Affected Products

    The vulnerability does not affect Commvault products.

    Resolution

    CVE-2022-2274 affects OpenSSL 3.0 and above versions. Commvault uses OpenSSL version 1.1.1, which is not affected by this vulnerability. This includes all Commvault Software, HyperScale X, ThreatWise, and Commvault Distributed Storage packages that are not affected by this vulnerability.

    CV_2022_10_1: Remote Code Execution Vulnerability in Apache Common Text

    Advisory ID: CV_2022_10_1

    External Reporting ID: CVE-2022-42889

    Issued On: October 18, 2022

    Updated On: October 18, 2022

    Severity: High

    Affected Products

    The vulnerability does not affect Commvault products.

    Resolution

    As a precautionary measure, we have upgraded the Apache Commons Text version in our product.

    Download and install the following maintenance releases for your Feature Release on the affected client computers. For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.

    Platform Release

    Maintenance Release

    2022E

    11.28.44

    11.24

    11.24.86

    CV_2022_04_1: Remote Code Execution Vulnerability in the Spring Framework

    Advisory ID: CV_2022_04_1

    External Reporting ID: CVE-2022-22963, CVE-2022-22965

    Issued On: April 01, 2022

    Updated On: April 01, 2022

    Severity: High

    Affected Products

    The vulnerability does not affect Commvault products.

    Resolution

    As stated in the Spring.io blog, if the application is deployed as a Spring Boot executable jar, which is the default jar, it is not vulnerable to the exploit. Commvault internally uses the Message Queue application, which includes the default Spring Boot executable jar that is not vulnerable to the exploit.

    As a precaution, we have upgraded the Message Queue application, Oracle and Microsoft SQL agents to the version recommended by Spring.io.

    Download and install the following maintenance releases for your Feature Release on the affected client computers. For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.

    Feature Release

    Maintenance Release

    11.26

    11.26.23

    11.25

    11.25.32

    11.24

    11.24.48

    11.23

    11.23.47

    11.20

    11.20.90

    SP16

    SP16.153

    CV_2022_01_1: Local Privilege Escalation Vulnerability in Polkit's pkexec Utility

    Advisory ID: CV_2022_01_1

    External Reporting ID: CVE-2021-4034

    Issued On: January 29, 2022

    Updated On: January 29, 2022

    Severity: High

    Affected Products

    The vulnerability may affect the Commvault Hyperscale products.

    Resolution

    To fix this vulnerability, install the February 2022 Operating System updates on the Hyperscale nodes. You do not require to install maintenance releases.

    For more information, see the following:

    CV_2021_12_1: Vulnerability in Apache Log4j Logging Libraries Impacting Commvault Products

    Advisory ID: CV_2021_12_1

    External Reporting IDs: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, CVE-2021-44832

    Issued On: December 11, 2021

    Updated On: February 01, 2022

    Severity: Critical

    Version: 6.0

    Affected Products

    The vulnerability may affect the following Commvault products:

    • Cloud Apps package

    • Oracle agent - Database archiving, data masking, and logical dump backup

    • Microsoft SQL Server agent - Database archiving, data masking, and table level restore

    • Commvault Distributed Storage

    • HyperScale X Appliance and Reference Architecture

    Resolution

    An update has been issued to remove log4j 1.x version and replace any older log4j versions with log4j 2.17.1 version on the affected Commvault packages.

    Download and install the following maintenance releases for your feature release on the affected client computers. For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.

    The version of Apache Log4j included with the following maintenance releases are not vulnerable to the CVEs listed in this security advisory. Additionally, the log4j-over-slf4j binaries included with the platform are not vulnerable to the CVEs listed in this security advisory as outlined here: https://www.slf4j.org/log4shell.html. log4j-over-slf4j is a bridge library that removes a dependency on log4j. That library, and any other library with "log4j-over-slf4j" in its name, is usually used to help people quickly migrate from log4j to another logging implementation. It works by adding an API that mimics the signatures for log4j’s logging functions, and then routes those calls to slf4j instead, which in turn routes them to whatever logging implementation you are actually using.

    Older versions of Log 4j 1versions 1.2 and 2.3 are automatically cleaned up from the installation when the you upgrade the clients to the following maintenance release versions:

    Feature Release

    Maintenance Release

    11.26

    11.26.23

    11.25

    11.25.32

    11.24

    11.24.48

    11.23

    11.23.47

    11.20

    11.20.90

    SP16

    SP16.153

    To upgrade the Commvault Distributed Storage package, download and install Hedvig Release 4.5.3 from the Commvault Store. For more information, see Upgrading Clusters Non-disruptively.

    To upgrade the Commvault HyperScale X software, install the operating system updates on the Hyperscale nodes. For more information, see the following:

    Note

    Although Commvault v10 products are not affected by this vulnerability, we highly recommend that you upgrade the v10 agents to the most recent v11 version of the software.

    Also, see Log4j Files in Microsoft SQL Server 2019 Installations.

    CV_2021_08_1: Authentication Bypass Vulnerabilities on CVWebService Endpoint

    Advisory ID: CV_2021_08_1

    External Reporting IDs: CVE-2021-34993, CVE-2021-34994, CVE-2021-34995, CVE-2021-34996, CVE-2021-34997

    Issued On: August 08, 2021

    Updated On: August 08, 2021

    Severity: Medium

    Version: 1.0

    Description

    The following security vulnerabilities were reported with Commvault’s CVWebService Web Server endpoint:

    • Authentication bypass on a subset of web server APIs allows unauthorized users to download files from the web server.

    • CommCell users that do not have administrator permissions can upload files to the Download Center or to Commvault App Studio.

    Affected Products

    This vulnerability affects the Commvault Web Server on Service Pack 16 and Feature Releases 11.20-11.24.

    Resolution

    To fix these vulnerabilities, download and install the following maintenance release (or a more recent release), for your Feature Release on the CommServe and Web Server.

    Feature Release

    Maintenance Release

    11.24

    7

    11.23

    21

    11.22

    36

    11.20

    64

    SP16

    116

    Acknowledgments

    We acknowledge Trend Micro for reporting this issue to us.

    CVE-2021-41303: Apache Shiro Spring Boot Improper Authentication

    Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

    For more information, see CVE-2021-41303 Detail.

    Note

    • This vulnerability does not affect Commvault products.

    • No Commvault application that contains an affected Shiro library uses Spring Boot.

    CVE-2022-22950: Spring Expression DoS Vulnerability

    In Spring Framework versions 5.3.0 through 5.3.16, 5.2.0 through 5.2.19, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

    For more information, see CVE-2022-22950 Detail.

    Vulnerability with Carbon Black Software

    The Carbon Black software interferes with the proper functioning of the Commvault software by locking up binaries.

    As a work around, exclude the Commvault installation, job results, index cache, and data folders from monitoring.

    Examples:

    • C:\Program Files\Commvault\ContentStore

    • C:\Program Files\Commvault\ContentStore\iDataAgent\JobResults

    • C:\Program Files\Commvault\ContentStore\index cache

    • E:\Data

    Commvault Ransomware Protection Is Safe from RIPlace

    The Commvault ransomware protection feature is not affected by the RIPlace bypass technique that was recently reported about in the news. For more information about RIPlace and Commvault, see Ransomware Protection Is Safe From RIPlace.

    For more information about the Commvault ransomware protection feature, see Ransomware Protection.

    Security Vulnerability With MongoDB Versions

    Commvault has reviewed the security concerns with MongoDB versions as reported in CVE-2016-6494, and recommends that you upgrade the MongoDB instance installed by the Commvault software as described in the KB article SEC0019:Security Vulnerability Issues with MongoDB Versions.

    Loading...