V11 Service Pack 10


We are pleased to announce the eleventh generation of our industry leading software! You can now experience all the latest innovations designed to provide you with a business advantage.

In addition to the new software features and usability enhancements in this release, we have rearchitected the core of our software. This includes the following:

  • The Security layer for greater access control and flexibility, and to address the needs of mobile users.
  • The Networking layer to support new transport modes, and provide greater speeds and better scaling.
  • The Database layer which has been simplified to eliminate potential bottlenecks.
  • The Indexing layer to support multiple databases as well as live edit capabilities.
  • Deduplication to use an in-memory database to support high availability.

Refer to the New Features list, which highlights the major new features and capabilities of our software, including a description, applicable agents, use cases, and license information. In addition, the New Features list contains information about Early Release features, which provides an advanced look at the very latest capabilities we are adding. Other topics provide a more information of everything new in in this version of the Commvault software:

If you are a new user of our software, we recommend that you start by reading the Overview pages, and try out our software by following the Quick Start Guide.

Service Pack 10 Automatic Downloads Available on January 15, 2018

Service Pack 10 is now available. Customers who would like to get the service pack immediately may download it manually by following the instructions in Service Pack Installations. For customers who use the default schedules, the software is automatically downloaded on or after January 15th, 2018.


Upgrades from previous versions are supported. When your CommServe is eligible for upgrade, you will see the Request Upgrade to V11 option in your dashboard. If you do not see the option, see Upgrades - FAQ.

For general information about upgrades, see Upgrades.

Java Runtime Environment (JRE)

Oracle has discovered an issue with some versions of their Java software. This issue prevents the CommCell Console from starting when it is accessed as a web-based application. To avoid this issue, you can install Java version 1.8.0_101 and all subsequent CPU (Critical Patch Update) versions. Do not install Java 8 Update 72, 74, 77, 91, 92, or 102 (versions 1.8.0_72, 1.8.0_74, 1.8.0_77, 1.8.0_91, 1.8.0_92, and 1.8.0_102).

CommServe Server and MediaAgents Can Be a Virtual Machine

You can use virtual machines instead of physical clients for the CommServe server and MediaAgents. Virtual machines must meet the same hardware specifications as physical clients, such as CPU, RAM, IOPs, and network requirements.

We recommend that you manage extra-large backend data (up to 400 TB) with a single extra-large MediaAgent using two DDB (deduplication database) partitions. For more information, see Hardware Specifications for Deduplication Extended Mode.

For other information about CommServe server and MediaAgent sizing, see the following topics:

For VMware using ESXi 6.0 EP6 (build 3825889), incremental backups that use application quiescing are equivalent to Full Backups

A known issue with VMware ESXi 6.0 EP6 (build 3825889) caused Changed Block Tracking (CBT) to return all blocks for a virtual disk, resulting in backups that were the total size of the virtual disk. This affected backup applications, including Commvault, when incremental backups were run using application consistent quiescing with CBT, for guest virtual machines running Windows 2008 or later.

Note: This issue did not result in data loss, but did increase the size and running time of incremental backups.

You can resolve this issue by applying the patch that was provided by VMware in VMware ESXi 6.0, Patch ESXi-6.0.0-20160804001-standard (2145667).

For more information, see the VMware KB article After upgrading to ESXi 6.0 Build 3825889, incremental virtual machine backups effectively run as full backups when application consistent quiescing is enabled (2145895).


Meltdown and Spectre Chip Vulnerability

Security analysts recently announced the presence of two hardware bugs, called Meltdown and Spectre, which may allow the ability to exploit critical vulnerabilities in modern processors. The following security alert has been issued with further details.

Commvault software is not vulnerable to these hardware bugs directly. Our software runs in the application layer making calls to the operating system libraries which in turn makes kernel calls. Patching the underlying operating system is the only action required.

The recommended patches for the Intel-based Meltdown exploit may impact hardware performance on heavy IO operation servers. The performance impact is not specific to Commvault, however Commvault software may be indirectly impacted depending on the overall workload, and type of hardware being used.

Spectre patching at the operating system and vulnerable application levels are still being developed and the performance impact to Commvault software has not yet been determined. However, the impact is not expected to be greater than the Meltdown solution.

Commvault Communication Service (CVD) Command Injection Vulnerability

We reviewed the vulnerability, identified by MetaSploit, in the CVD.exe service and addressed this issue in Version 11 Service Pack 7.

For more information, see KB article CVD0006: Commvault Communication Service (CVD) Command Injection Vulnerability.

Installing Windows Updates on All Clients in a Client Computer Group

To keep your CommCell environment secure, you must stay up-to-date with all Windows operating system updates. You can use the Install Windows Updates workflow to download and install Microsoft updates on all client computers in a client computer group. Download the Install Windows Updates workflow from Commvault Store. For instructions, see Download Workflows from Commvault Store. For details about the Install Windows Updates workflow, see Install Windows Updates Workflow.

Apache Tomcat Vulnerability Posted by NVD

Our engineering team has reviewed the NVD posting regarding the CVE-2017-12617 vulnerability in Apache Tomcat software, as well as the response by Apache. Based on our review, we can report that the configuration used by Commvault Tomcat installations does not include the WebDav servlet and does not alter the default value of "true" for default servlet init-param "readonly". All versions of V10 and V11 Commvault software are unaffected by this potential vulnerability.

MongoDB Security Implementation

Commvault software uses the MongoDB database program to store and to retrieve comments and replies associated with Edge Drive objects. During the installation of MongoDB, Commvault enables authentication mode and updates the default user credentials with a random password. For more information about Commvault and MongoDB, see MongoDB Security, Usage, Installation, and De-installation on the Commvault knowledge base website.

Cross-protocol attack on TLS on OpenSSL using SSLv2 (DROWN)

We have reviewed the OpenSSL Security Advisory posted on March 1, 2016, and can report that our firewall code uses TLS 1.2 and therefore is unaffected by this potential vulnerability.

For Commvault Web Console or Web Server, ensure that you are using the latest version of Microsoft IIS and that SSLv2 is disabled. Refer to the following articles for more information:

Linux Kernel Vulnerability Posted by NVD

Our engineering team has reviewed the NVD posting regarding a potential vulnerability in the Linux kernel before 4.4.1, as well as the response by RedHat. Based on our review, we can report that Commvault does not use this API in our backup and recovery code, and our File Recovery Enabler for Linux uses Centos 6.x kernels, and thus our software is not vulnerable to this potential threat.

Vulnerability Posted by Software Engineering Institute CERT Division

Commvault acts swiftly on all security risks to verify the authenticity of the risk and any required resolution of that risk for all supported versions of our software. Our engineering team has reviewed the CERT posting and we have identified a potential security vulnerability in the Web Console through our own testing. At this time, there have been no customer reports of this issue.

This vulnerability is addressed in Version 11 SP1. It is not necessary to download or install any separate Hotfix to address it.

OpenSSL Security Advisory dated 3 Dec 2015 - Update 4 Dec 2015

OpenSSL vulnerabilities CVE-2015-1794, CVE-2015-3193, CVE-2015-3194, and CVE-2015-3195 as described in OpenSSL.org's Security Advisory do not affect Commvault software.

Stack-Based Buffer Overflow Vulnerability

Our engineering team has reviewed the CERT posting on the stack-based buffer overflow vulnerability for Commvault Edge and have addressed this issue in Version 11 Service Pack 7.

 For more information, see KB article SEC0013: Stack-based buffer overflow vulnerability.