Log4j showed me a huge flaw in they way Commvault pushes information related to Maintenance Releases (MRs).
Problem one is the software reading a list, allowing different installations to fetch different MRs as their ‘latest’ MR. I’ve got a colleague currently being offered 11.24.34 for example.
Problem two is ma.commvault.com not showing all releases or reasons why one got pulled. Documentation’s repo (https://documentation.commvault.com/11.24/expert/138863_list_of_maintenance_releases_for_feature_release_1124.html) isn’t complete either.
I had 11.24.31 offered at one point (through the software). This version was pulled, and only through support did I get to know the reason: the Server Event Manager crashing occasionally. This is a problem, because only 11.24.30 and later should include log4j 2.17, per its release notes: https://documentation.commvault.com/11.24/assets/service_pack/updates/11_24_31.htm. And I’ve now got two customers that have this problem, but at least they’re safe from log4j, so you win some, you lose some apparently…
Third problem is a combination. ma.commvault.com’s direct download links even have a 11.24.34 and 11.24.35 available when you change the URL (e.g. for WinX64), while only 11.24.32 should have gone public today, per support. Neither of those have release notes (same deal, by changing 11.24.29’s URL). While we’re at it, at the moment you don’t have a clear, publicly available MR that should protect from log4j fully.
As for the solution, as the single source of true information, I believe documentation.commvault.com should be kept up to date with work in progress entries for MRs, including MRs that got pulled and a reason why. (And while you’re at it, copy the download links for us lazy IT people…)