Security Vulnerability and Reporting

Updated

Report a Security Vulnerability

To report a new vulnerability, click here.

Security Advisories

CV_2022_04_1: Remote Code Execution Vulnerability in the Spring Framework

Advisory ID: CV_2022_04_1

External Reporting ID: CVE-2022-22963, CVE-2022-22965

Issued On: April 01, 2022

Updated On: April 01, 2022

Severity: High

Affected Products

The vulnerability does not affect Commvault products.

Resolution

As stated in the Spring.io blog, if the application is deployed as a Spring Boot executable jar, which is the default jar, it is not vulnerable to the exploit. Commvault internally uses the Message Queue application, which includes the default Spring Boot executable jar that is not vulnerable to the exploit.

As a precaution, we have upgraded the Message Queue application, Oracle and Microsoft SQL agents to the version recommended by Spring.io.

Download and install the following maintenance releases for your Feature Release on the affected client computers. For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.

Feature Release

Maintenance Release

11.26

11.26.23

11.25

11.25.32

11.24

11.24.48

11.23

11.23.47

11.20

11.20.90

SP16

SP16.153

CV_2022_01_1: Local Privilege Escalation Vulnerability in Polkit's pkexec Utility

Advisory ID: CV_2022_01_1

External Reporting ID: CVE-2021-4034

Issued On: January 29, 2022

Updated On: January 29, 2022

Severity: High

Affected Products

The vulnerability may affect the Commvault Hyperscale products.

Resolution

To fix this vulnerability, install the February 2022 Operating System updates on the Hyperscale nodes. You do not require to install maintenance releases.

For more information, see the following:

CV_2021_12_1: Vulnerability in Apache Log4j Logging Libraries Impacting Commvault Products

Advisory ID: CV_2021_12_1

External Reporting IDs: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, CVE-2021-44832

Issued On: December 11, 2021

Updated On: February 01, 2022

Severity: Critical

Version: 6.0

Affected Products

The vulnerability may affect the following Commvault products:

  • Cloud Apps package

  • Oracle agent - Database archiving, data masking, and logical dump backup

  • Microsoft SQL Server agent - Database archiving, data masking, and table level restore

  • Commvault Distributed Storage

  • HyperScale X Appliance and Reference Architecture

Resolution

An update has been issued to remove log4j 1.x version and replace any older log4j versions with log4j 2.17.1 version on the affected Commvault packages.

Download and install the following maintenance releases for your feature release on the affected client computers. For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.

The version of Apache Log4j included with the following maintenance releases are not vulnerable to the CVEs listed in this security advisory. Additionally, the log4j-over-slf4j binaries included with the platform are not vulnerable to the CVEs listed in this security advisory as outlined here: https://www.slf4j.org/log4shell.html. log4j-over-slf4j is a bridge library that removes a dependency on log4j. That library, and any other library with "log4j-over-slf4j" in its name, is usually used to help people quickly migrate from log4j to another logging implementation. It works by adding an API that mimics the signatures for log4j’s logging functions, and then routes those calls to slf4j instead, which in turn routes them to whatever logging implementation you are actually using.

Feature Release

Maintenance Release

11.26

11.26.23

11.25

11.25.32

11.24

11.24.48

11.23

11.23.47

11.20

11.20.90

SP16

SP16.153

To upgrade the Commvault Distributed Storage (CDS) package, download and install Hedvig Release 4.5.3 from the Commvault Store. For more information, see Upgrading Clusters Non-disruptively.

To upgrade the Commvault HyperScale X software, install the operating system updates on the Hyperscale nodes. For more information, see the following:

Note: Although Commvault v10 products are not affected by this vulnerability, we highly recommend that you upgrade the v10 agents to the most recent v11 version of the software.

CV_2021_08_1: Authentication Bypass Vulnerabilities on CVWebService Endpoint

Advisory ID: CV_2021_08_1

External Reporting IDs: CVE-2021-34993, CVE-2021-34994, CVE-2021-34995, CVE-2021-34996, CVE-2021-34997

Issued On: August 08, 2021

Updated On: August 08, 2021

Severity: Medium

Version: 1.0

Description

The following security vulnerabilities were reported with Commvault’s CVWebService Web Server endpoint:

  • Authentication bypass on a subset of web server APIs allows unauthorized users to download files from the web server.

  • CommCell users that do not have administrator permissions can upload files to the Download Center or to Commvault App Studio.

Affected Products

This vulnerability affects the Commvault Web Server on Service Pack 16 and Feature Releases 11.20-11.24.

Resolution

To fix these vulnerabilities, download and install the following maintenance release (or a more recent release), for your Feature Release on the CommServe and Web Server.

Feature Release

Maintenance Release

11.24

7

11.23

21

11.22

36

11.20

64

SP16

116

Acknowledgments

We acknowledge Trend Micro for reporting this issue to us.

CVE-2021-41303: Apache Shiro Spring Boot Improper Authentication

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

For more information, see CVE-2021-41303 Detail.

Note:

  • This vulnerability does not affect Commvault products.

  • No Commvault application that contains an affected Shiro library uses Spring Boot.

Vulnerability with Carbon Black Software

The Carbon Black software interferes with the proper functioning of the Commvault software by locking up binaries.

As a work around, exclude the Commvault installation, job results, index cache, and data folders from monitoring.

Examples:

  • C:\Program Files\Commvault\ContentStore

  • C:\Program Files\Commvault\ContentStore\iDataAgent\JobResults

  • C:\Program Files\Commvault\ContentStore\index cache

  • E:\Data

Commvault Ransomware Protection Is Safe from RIPlace

The Commvault ransomware protection feature is not affected by the RIPlace bypass technique that was recently reported about in the news. For more information about RIPlace and Commvault, see Ransomware Protection Is Safe From RIPlace.

For more information about the Commvault ransomware protection feature, see Ransomware Protection.

Security Vulnerability With MongoDB Versions

Commvault Systems, Inc. has reviewed the security concerns with MongoDB versions as reported in CVE-2016-6494, and recommends that you upgrade the MongoDB instance installed by the Commvault software as described in the KB article SEC0019:Security Vulnerability Issues with MongoDB Versions.