Solved

Apache Vulnerability CVE-2022-23181 - Is this affecting Commvault ?

2 years ago
2 February 2022
6 replies
1193 views

auro12
Bit
1 reply

In relation to Apache bug CVE-2022-23181 is this affecting any Commvault releases ?

“This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.”

icon

Best answer by Aplynx 2 February 2022, 18:47

View original

If you have a question or comment, please create a topic

6 replies

Userlevel 6

+13

Aplynx
Vaulter
265 replies
2 years ago
2 February 2022

I don’t see anything on this at the moment. Might be quicker to open a support request to get an answer.

Userlevel 6

+13

Aplynx
Vaulter
265 replies
2 years ago
2 February 2022
Answer

Commvault is not affected by this CVE because we have disabled session persistence on our web applications, as described here:

https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html#Disable_Session_Persistence

E.g., if you check our apps’ context entries in ContentStore\Apache\conf\server.xml file, they will contain this setting:

auro12
Author
Bit
1 reply
2 years ago
3 February 2022

Thanks for the info provided @Aplynx :ok_hand:

Theja
Vaulter
12 replies
2 years ago
4 March 2022

Hello,

Need your help to understand below requirement..

Does the below Apache Tomcat vulnerabilities fixed in 11.24.34? or these are related to OS vulns?

Do we have any document to check which Vulns are fixed in which version?

Reported Vuls:
Apache Tomcat: Important: Information Disclosure (CVE-2016-6816)
Apache Tomcat: Low: XSS in SSI printenv (CVE-2019-0221)
Apache Tomcat: Low: Unrestricted Access to Global Resources (CVE-2016-6797)
Apache Tomcat: Low: System Property Disclosure (CVE-2016-6794)
Apache Tomcat: Important: Remote Code Execution (CVE-2017-12617)
Apache Tomcat: Low: Security Manager Bypass (CVE-2016-6796)
Apache Tomcat: Low: Security Manager Bypass (CVE-2016-5018)
Apache Tomcat default installation/welcome page installed
Apache Tomcat: Low: Timing Attack (CVE-2016-0762)