Solved

Does the new Patch fix CVE-2021-4104 ?

  • 3 February 2022
  • 6 replies
  • 297 views

Userlevel 4
Badge +15


Hello, 
I wanted to know if the current patch 11.20.90 (01-Feb-2022) fixes the problem. 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4104
Can anyone here already make a statement ? 

with kind regards

Thomas
 

icon

Best answer by thomas.S 4 February 2022, 17:11

View original

If you have a question or comment, please create a topic

6 replies

Userlevel 6
Badge +13

CVE-2021-4104: The Commvault software does not use the JMSAppender module and, therefore, the vulnerability about log4j 1.x versions does not affect any Commvault products.

Userlevel 4
Badge +15

Hello @Aplynx , 
since we always have this message in our daily security scans, it should be possible to delete the Log4J jar files without any problem. 

Files\Commvault\ContentStore2\CvFailover\CvMonitoringService\lib\log4j-1.2.16.jar

Userlevel 6
Badge +13

There is an upcoming patch to address this and remove those files. I would not recommend removing them manually. I’d post any additional questions you have here:

 

 

Userlevel 4
Badge +15

Hello @Aplynx

thanks for your feedback. 
Is there already an approximate date by when this patch will be available ? 

Userlevel 4
Badge +15

We have now applied the patch and will check tomorrow whether the messages have disappeared after the security scan. I will give an update on the issue tomorrow. 

Userlevel 4
Badge +15

Today's security scans showed that the patch did something. Log4J is now no longer a problem. 
 

Have a nice weekend