This advisory is archived
Archived security advisories updated before March 15, 2024 have been migrated from our previous documentation site in their original format. For this reason, they may not conform to the updated look and feel of advisories published after March 15, 2024.
- Advisory ID: CV_2022_04_1
- Issued: 2022-04-01
- Updated: 2022-04-01
- Additional Links:
Impacted Products
This vulnerability does not affect Commvault products.
Resolution
As stated in the Spring.io blog, if the application is deployed as a Spring Boot executable jar, which is the default jar, it is not vulnerable to the exploit. Commvault internally uses the Message Queue application, which includes the default Spring Boot executable jar that is not vulnerable to the exploit.
As a precaution, we have upgraded the Message Queue application, Oracle and Microsoft SQL agents to the version recommended by Spring.io.
Download and install the following maintenance releases for your Feature Release on the affected client computers. For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.
Feature Release | Maintenance Release |
|---|---|
11.26 | |
11.25 | |
11.24 | |
11.23 | |
11.20 | |
SP16 |
CVE Details
| Info | Description |
|---|---|
| In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. |
| A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. |