Security Vulnerability and Reporting

Updated

Report a Security Vulnerability

To report a new vulnerability, click here.

Security Advisories

CV_2021_12_1: Vulnerability in Apache Log4j Logging Libraries Impacting Commvault Products

Advisory ID: CV_2021_12_1

External Reporting IDs: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, CVE-2021-44832

Issued On: December 11, 2021

Updated On: December 29, 2021

Severity: Critical

Version: 4.0

Description

Critical vulnerabilities were found on Apache Log4j logging libraries. For more information about the vulnerability, see the following reports:

  • CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

  • CVE-2021-45046: Apache Log4j 2.15.0 was incomplete in certain non-default configurations

  • CVE-2021-45105: Apache Log4j versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups

  • CVE-2021-4104: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data

  • CVE-2021-44832: Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.

Affected Products

The CVE-2021-44228 and CVE-2021-45046 vulnerabilities may affect the following Commvault products:

  • Cloud Apps package

  • Oracle agent - Database archiving, data masking, and logical dump backup

  • Microsoft SQL Server agent - Database archiving, data masking, and table level restore

  • Commvault Distributed Storage

  • HyperScale X Appliance and Reference Architecture

The following vulnerabilities do not affect the Commvault products:

  • CVE-2021-45105: The log4j function in CVE-2021-45105 vulnerability is not used by the Commvault software and therefore does not affect any Commvault products.

  • CVE-2021-4104: The Commvault software does not use the JMSAppender module and, therefore, the vulnerability about log4j 1.x versions does not affect any Commvault products.

  • CVE-2021-44832: The Commvault software does not use the JdbcAppender module and, therefore, the vulnerability about remote code execution attack does not affect any Commvault products.

Resolution

An update has been issued to remove the log4j 2.0 through 2.15 versions from the affected Commvault packages.

Download and install the following maintenance releases for your Feature Release on the affected client computers. For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.

To view the list of affected client computers in your CommCell environment, download and deploy the Log4J affected servers report (version 1.1.2.3), from the Commvault Store. For more information about downloading a custom report, see Downloading a Report from the Commvault Store.

Feature Release

Maintenance Release

11.26

11.26.3

11.25

11.25.14

11.24

11.24.29

11.23

11.23.42

11.22

11.22.57

11.20

11.20.85

SP16

SP16.136

To upgrade the Commvault Distributed Storage (CDS) package, download and install Hedvig Release 4.5.3 from the Commvault Store. For more information, see Upgrading Clusters Non-disruptively.

To upgrade the Commvault HyperScale X software, install the operating system updates on the Hyperscale nodes. For more information, see the following:

Note: Although Commvault v10 products are not affected by this vulnerability, we highly recommend that you upgrade the v10 agents to the most recent v11 version of the software.

CV_2021_08_1: Authentication Bypass Vulnerabilities on CVWebService Endpoint

Advisory ID: CV_2021_08_1

External Reporting IDs: CVE-2021-34993, CVE-2021-34994, CVE-2021-34995, CVE-2021-34996, CVE-2021-34997

Issued On: August 08, 2021

Updated On: August 08, 2021

Severity: Medium

Version: 1.0

Description

The following security vulnerabilities were reported with Commvault’s CVWebService Web Server endpoint:

  • Authentication bypass on a subset of web server APIs allows unauthorized users to download files from the web server.

  • CommCell users that do not have administrator permissions can upload files to the Download Center or to Commvault App Studio.

Affected Products

This vulnerability affects the Commvault Web Server on Service Pack 16 and Feature Releases 11.20-11.24.

Resolution

To fix these vulnerabilities, download and install the following maintenance release (or a more recent release), for your Feature Release on the CommServe and Web Server.

Feature Release

Maintenance Release

11.24

7

11.23

21

11.22

36

11.20

64

SP16

116

Acknowledgments

We acknowledge Trend Micro for reporting this issue to us.

Vulnerability with Carbon Black Software

The Carbon Black software interferes with the proper functioning of the Commvault software by locking up binaries.

As a work around, exclude the Commvault installation, job results, index cache, and data folders from monitoring.

Examples:

  • C:\Program Files\Commvault\ContentStore

  • C:\Program Files\Commvault\ContentStore\iDataAgent\JobResults

  • C:\Program Files\Commvault\ContentStore\index cache

  • E:\Data

Commvault Ransomware Protection Is Safe from RIPlace

The Commvault ransomware protection feature is not affected by the RIPlace bypass technique that was recently reported about in the news. For more information about RIPlace and Commvault, see Ransomware Protection Is Safe From RIPlace.

For more information about the Commvault ransomware protection feature, see Ransomware Protection.

Security Vulnerability With MongoDB Versions

Commvault Systems, Inc. has reviewed the security concerns with MongoDB versions as reported in CVE-2016-6494, and recommends that you upgrade the MongoDB instance installed by the Commvault software as described in the KB article SEC0019:Security Vulnerability Issues with MongoDB Versions.