Report a Security Vulnerability
To report a new vulnerability, click here.
CV_2021_12_1: Vulnerability in Apache Log4j Logging Libraries Impacting Commvault Products
Advisory ID: CV_2021_12_1
External Reporting IDs: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, CVE-2021-44832
Issued On: December 11, 2021
Updated On: December 29, 2021
Critical vulnerabilities were found on Apache Log4j logging libraries. For more information about the vulnerability, see the following reports:
CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
CVE-2021-45046: Apache Log4j 2.15.0 was incomplete in certain non-default configurations
CVE-2021-45105: Apache Log4j versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups
CVE-2021-4104: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data
CVE-2021-44832: Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.
Cloud Apps package
Oracle agent - Database archiving, data masking, and logical dump backup
Microsoft SQL Server agent - Database archiving, data masking, and table level restore
Commvault Distributed Storage
HyperScale X Appliance and Reference Architecture
The following vulnerabilities do not affect the Commvault products:
CVE-2021-45105: The log4j function in CVE-2021-45105 vulnerability is not used by the Commvault software and therefore does not affect any Commvault products.
CVE-2021-4104: The Commvault software does not use the JMSAppender module and, therefore, the vulnerability about log4j 1.x versions does not affect any Commvault products.
CVE-2021-44832: The Commvault software does not use the JdbcAppender module and, therefore, the vulnerability about remote code execution attack does not affect any Commvault products.
An update has been issued to remove the log4j 2.0 through 2.15 versions from the affected Commvault packages.
Download and install the following maintenance releases for your Feature Release on the affected client computers. For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.
To view the list of affected client computers in your CommCell environment, download and deploy the Log4J affected servers report (version 184.108.40.206), from the Commvault Store. For more information about downloading a custom report, see Downloading a Report from the Commvault Store.
To upgrade the Commvault HyperScale X software, install the operating system updates on the Hyperscale nodes. For more information, see the following:
Installing Updates on HyperScale X Appliance
Installing Updates on HyperScale X Reference Architecture
Note: Although Commvault v10 products are not affected by this vulnerability, we highly recommend that you upgrade the v10 agents to the most recent v11 version of the software.
CV_2021_08_1: Authentication Bypass Vulnerabilities on CVWebService Endpoint
Advisory ID: CV_2021_08_1
External Reporting IDs: CVE-2021-34993, CVE-2021-34994, CVE-2021-34995, CVE-2021-34996, CVE-2021-34997
Issued On: August 08, 2021
Updated On: August 08, 2021
The following security vulnerabilities were reported with Commvault’s CVWebService Web Server endpoint:
Authentication bypass on a subset of web server APIs allows unauthorized users to download files from the web server.
CommCell users that do not have administrator permissions can upload files to the Download Center or to Commvault App Studio.
This vulnerability affects the Commvault Web Server on Service Pack 16 and Feature Releases 11.20-11.24.
To fix these vulnerabilities, download and install the following maintenance release (or a more recent release), for your Feature Release on the CommServe and Web Server.
We acknowledge Trend Micro for reporting this issue to us.
Vulnerability with Carbon Black Software
The Carbon Black software interferes with the proper functioning of the Commvault software by locking up binaries.
As a work around, exclude the Commvault installation, job results, index cache, and data folders from monitoring.
C:\Program Files\Commvault\ContentStore\index cache
Commvault Ransomware Protection Is Safe from RIPlace
The Commvault ransomware protection feature is not affected by the RIPlace bypass technique that was recently reported about in the news. For more information about RIPlace and Commvault, see Ransomware Protection Is Safe From RIPlace.
For more information about the Commvault ransomware protection feature, see Ransomware Protection.
Security Vulnerability With MongoDB Versions
Commvault Systems, Inc. has reviewed the security concerns with MongoDB versions as reported in CVE-2016-6494, and recommends that you upgrade the MongoDB instance installed by the Commvault software as described in the KB article SEC0019:Security Vulnerability Issues with MongoDB Versions.