Solved

log4j been used in Commvault

  • 11 December 2021
  • 43 replies
  • 29965 views

Userlevel 3
Badge +6

As maybe know the last day’s a lot of actions needs to performed regarding the Log4j vulnerbility. Is this also been used in the Commvault software?

If so is there a patch/fix upcoming?

 

 

icon

Best answer by Stuart Painter 13 December 2021, 09:35

View original

If you have a question or comment, please create a topic

43 replies

Userlevel 3
Badge +13

Hello @Hussain

All right, thanks. Then I will run the updates on the Media Agents and Commvault web server as well and finally run an update on all Oracle and SQL clients. 
Once I install the update the Commvault services will shut down once and then start up again after the update. 
Is the update then also immediately available for the SQL and Oralce or do I have to consider something else ?

Badge

Looking at the official Advisory referenced above Security Vulnerability and Reporting (commvault.com) it is still not entirely clear what the correct procedure to remediate this issue is.

The remediation says, “Download and install the following updates from the Commvault store for your Feature Release on the affected client computers”


So, if you are on FR 11.24.xx, the remediation seems to suggests going to FR 11.24.23, but then then it refers to an “Upgrade” file named, “11.24 Log4J Fix”.

Does this mean that the a minimum requirement is to first update your Commcell to 11.24.23, then you need to run a specific separate Upgrade file against those client computers that have the Cloud Apps package, Oracle Agent or SQL Agent?

I would hope that a consolidated 11.24 hotfix pack that includes the fix might be released to simplify this so as long as you upgrade to that FR 11.24.xx hotfix pack in one -go so you are covered without needing to then manually upgrade individual clients.


If Brock or the product team could clarify the exact remediation process envisioned, or whether a consolidated Feature Release Hotfix pack that includes the fix for a one-step upgrade (as much as upgrades are ever one-step) it would be greatly appreciated.

Regards,
M

Badge
  1. share your environment details with CommVault support and discuss in details with them, they are helping in a very reliable manner 
  2. It is always recommended to install the hotfix on CommServer and Media agent first before pushing on client servers else there will be compatibility issue. 
  3. log4j is troublesome only if your Oracle and SQL system has its version 2 installed on it
  4. CommVault is using version 1 of log4j still it is recommending to go latest hotfix as per your service pack
  5. anything above service pack 16 has hotfix available right now, anyone running with below version needs to reach out to CommVault support for help and recommendation
Userlevel 3
Badge +11

Can someone document the steps which needs to be taken ?

Also , if we are not using archiving & masking do we need to upgrade feature release for SQL and Oracle Clients .

Userlevel 5
Badge +11

Hi all,

 

The minimum Maintenance Release needs to be installed first on CS/MA/potentially impacted clients. Then the additional update patch needs to be installed on top to the clients. The Log4j packages are installed on clients, not CS/MA (unless CS/MA also had the impacted agents).

 

These patches will eventually be rolled into a Maintenance Release just like any other Commvault official patches according to release cycle. 

 

It is being released out of band/cycle here due to the severity of the vulnerability and potential of impact.

 

Thank you

 

Edit: HotFix2763 will need to go on CS and Win clients whilst Hotfix 2764 and 2765 goes on clients (Unix only for 2764 and Unix/Win for 2765)

Userlevel 3
Badge +11

We are on feature release version 11.24.21 for CS + MA and Clients .

Not using cloud apps but have MSSQL and Oracle iDataagent for backups and recovery .

How to check if we are using  Database archiving, data masking, and logical dump backup? 

Do i need to upgrade clients if Iam taking MSSQL and Oracle idataagent based backups ?

Any upgrade required for CS and MA ?

 

Userlevel 5
Badge +11

If you are just using MSSQL and Oracle streaming or IntelliSnap backup, then you shouldn’t be impacted at all. Log4j packages may be discovered during security scan but they are not actually running/active. 

Userlevel 3
Badge +11

Hello Everyone ,

 

How do i check if we are using Database archiving, data masking,logical dump backup and table level restore . we have many clients which has Oracle and MSSQL agent installed but is there any way or report to identify if below mentioned features are in use or not -- 

  • Oracle agent - Database archiving, data masking, and logical dump backup

  • Microsoft SQL Server agent - Database archiving, data masking, and table level restore

 

Userlevel 3
Badge +11

Hello Everyone ,

 

How do i check if we are using Database archiving, data masking,logical dump backup and table level restore . we have many clients which has Oracle and MSSQL agent installed but is there any way or report to identify if below mentioned features are in use or not -- 

  • Oracle agent - Database archiving, data masking, and logical dump backup

  • Microsoft SQL Server agent - Database archiving, data masking, and table level restore

Badge

The 11.24 download bundle fix for Log4j include HotFixes 4551 4552 & 4553 Im on the required 11.24.23 version but when I click download latest fixes for currnet version and then run an update it doesnt install them we have clients with Cloud apps, Oracle and SQL but it says they are up to date

Badge

Any news about the used MongoDB + Tomcat products on CommVault 11.24.23 ? 

“MongoDB Atlas Search” is the only product of MongoDB that is vulnerable: https://www.mongodb.com/blog/post/log4shell-vulnerability-cve-2021-44228-and-mongodb

Userlevel 3
Badge +11

@Stuart Painter @Brock @M Scheepers 

Iam using CV Oracle and Microsoft SQL agents(11.24.21) for backups and recovery but not using Database archiving, data masking, logical dump backup and table level restore . Do i need to follow this guidelines or since Iam not using any of these features i don't have to take any action in my backup environment  ? Please clarify .

  • Cloud Apps package
  • Oracle agent - Database archiving, data masking, and logical dump backup
  • Microsoft SQL Server agent - Database archiving, data masking, and table level restore
Badge

@Stuart Painter @Brock @M Scheepers 

Iam using CV Oracle and Microsoft SQL agents(11.24.21) for backups and recovery but not using Database archiving, data masking, logical dump backup and table level restore . Do i need to follow this guidelines or since Iam not using any of these features i don't have to take any action in my backup environment  ? Please clarify .

  • Cloud Apps package
  • Oracle agent - Database archiving, data masking, and logical dump backup
  • Microsoft SQL Server agent - Database archiving, data masking, and table level restore

I am also not pretty sure about the Cloud apps packages whether it includes the Azure blob storage.. We too don't have Oracle and SQL features as mentioned in the vulnerability..

Badge +1

Thanks Brock, although I’m not sure that list is complete. This server has multiple log4j JAR files and it doesn’t have those packages installed. Hopefully it’s not used in these, either.

...

C:\>dir /s E:\*log4j*.jar
Volume in drive E is Server Applications

Directory of E:\Program Files\Commvault\ContentStore\CVAnalytics\DataCube\app\webapps\server\WEB-INF\lib

06/22/2021 05:12 AM 481,403 apache-log4j-extras.jar
06/22/2021 05:13 AM 525,106 log4j.jar
06/22/2021 05:14 AM 16,710 slf4j-log4j12.jar
3 File(s) 1,023,219 bytes

Directory of E:\Program Files\Commvault\ContentStore\CVCIEngine\CvPreviewHome\app\webapps\server\WEB-INF\lib

06/22/2021 05:12 AM 481,403 apache-log4j-extras.jar
06/22/2021 05:13 AM 525,106 log4j.jar
06/22/2021 05:14 AM 16,710 slf4j-log4j12.jar
3 File(s) 1,023,219 bytes

Directory of E:\Program Files\Commvault\ContentStore\CVCIEngine\CvPreviewHome\webapps\CvContentPreviewGenApp\WEB-INF\lib

11/03/2021 05:29 PM 525,110 log4j-1.2.17.jar
1 File(s) 525,110 bytes

Total Files Listed:
7 File(s) 2,571,548 bytes

For what it’s worth, a scan of a server with the Cloud Apps package installed didn’t find any results for *log4j*.jar.

 

same here, installed the Fix on MA (v11.22.54)

Pre:

C:\Users\Administrator>dir /s d:\*log4j*.jar
 Volume in drive D is DATA
 Volume Serial Number is 789B-8583

 Directory of d:\Commvault\ContentStore\Base\vmheartbeatmon\zookeeper\lib

25.10.2017  20:43           481.535 log4j-1.2.16.jar
25.10.2017  20:43             9.753 slf4j-log4j12-1.6.1.jar
               2 File(s)        491.288 bytes

Post:

C:\Users\Administrator>dir /s d:\*log4j*.jar
 Volume in drive D is DATA
 Volume Serial Number is 789B-8583

 Directory of d:\Commvault\ContentStore\Base\vmheartbeatmon\zookeeper\lib

25.10.2017  20:43           481.535 log4j-1.2.16.jar
25.10.2017  20:43             9.753 slf4j-log4j12-1.6.1.jar
               2 File(s)        491.288 bytes

UpdatInfo.log snippet:

16652 22280 12/13 16:37:17 ###      User selected to start Simpana services
16652 22280 12/13 16:37:17 ### Deleting file D:\Commvault\ContentStore\Base\DbJars\log4j-api-2.3.jar
16652 22280 12/13 16:37:17 ### Deleting file D:\Commvault\ContentStore\Base\DbJars\log4j-core-2.3.jar

the same log entries, even if the path is not present.

Tried on different clients (Cloud App, SQL, Oracle)

Is the Fix really final?

Regards,

Alex

Badge

Can someone document the steps which needs to be taken ?

Would appreciate this too. Never had to do out-of-band updates manually before, but probably the order is to install the updates as from downloadpackage in proper order (4561, 4562, 4563) and ignore any overlap between them 😞 It would really be convenient to push this from commcell instead of manually on each individual client…..

Userlevel 4
Badge +9

First download the latest MR of your current Feature Release. Wait until Download Software job completes.

Then run the copy software job againt the folder containing log4j packages. Wait until Copy Software job completes.

Your software cache is ready for remote deployment.

 

Userlevel 7
Badge +23

Hey all, FYI I created a sticky article with the latest info here.  If you have any questions, please discuss there so everyone can benefit!

 

Userlevel 7
Badge +23

FYI we have a new article to discuss this concern:

 

I’ll close this off as we want to keep all discussions together for everyone’s collective benefit :nerd: