Solved

LOG4j vulnerability

  • 13 December 2021
  • 15 replies
  • 4960 views

Badge +1

Is commvault effected by the LOG4j vulnerability.

When yes, is there a patch available

When no is there a link to de official statement of Commvault telling so.

 

Greets

Nanco de Cortie

icon

Best answer by Mike Struening 13 December 2021, 20:44

View original

If you have a question or comment, please create a topic

15 replies

Userlevel 6
Badge +14

Hi @Nanco,

I’d suggest checking this thread: 


We do have an official statement published here: https://documentation.commvault.com/v11/essential/146231_security_vulnerability_and_reporting.html

 

Best Regards,

Michael

Badge +1

Thank You Michael

downloading 11_24 with 11.24 Log4J Fix

 

Userlevel 3
Badge +11

 @MichaelCapon 

Iam using CV Oracle and Microsoft SQL agents(11.24.21) for backups and recovery but not using Database archiving, data masking, logical dump backup and table level restore . Do i need to follow this guidelines or since Iam not using any of these features i don't have to take any action in my backup environment  ? Please clarify .

  • Cloud Apps package
  • Oracle agent - Database archiving, data masking, and logical dump backup
  • Microsoft SQL Server agent - Database archiving, data masking, and table level restore
Userlevel 6
Badge +14

Hey @Mohit Chordia ,

 

Even though you’re not specifically using these features, It is still possible that the affected binaries are still present in your servers here.

To mitigate any risk here, I would still suggest to Download and install the following updates from the Commvault store for your Feature Release on the affected client computers.

Feature Release

Minimum Maintenance Release Required

Update

11.25

11.25.9

11.25 Log4J Fix

11.24

11.24.23

11.24 Log4J Fix

11.23

11.23.37

11.23 Log4J Fix

11.22

11.22.50

11.22 Log4J Fix

11.21

11.21.66

11.21 Log4J Fix

11.20

11.20.77

11.20 Log4J Fix

SP16

SP16.128

SP16 Log4J Fix

 

Best Regards,

Michael

Userlevel 3
Badge +11

@MichaelCapon 

I have approx 300+ clients which has SQL or Oracle idataagent configured . We are currently at level 11.24.21 for CS + MA + majority of Clients .

  • Do you recommend to upgrade CS from 11.24.21 to 11.24.23 , then install the fix 11.24 Log4J Fix ?
  • Upgrade media agents from 11.24.21 to 11.24.23 and then install the fix 11.24 Log4J Fix ?
  • Would i be able to push the fix 11.24 Log4J Fix remotely to SQL and Oracle clients similar to how we push maintenance release after upgrading CS or i need to manually install the fix on all 300+ clients after upgrading the clients to maintenance release 11.24.23  ?

Regards,Mohit

Userlevel 3
Badge +11

Thank You Michael

downloading 11_24 with 11.24 Log4J Fix

 

@Nanco 

Did you installed it on clients or commseve and media agents as well ? 

Can we remotely install the fix to all affected clients ? 

What is the procedure you took ? 

Badge +1

@Mohit Chordia 

I am looking for this as well, how to download / push to affected clients via commseve .

 

 

@MichaelCapon 

Could you share documents with steps how to do this ?

 

Thanks

Kent

Userlevel 7
Badge +23

Hi @kent !

I started a new article with all of the details listed here:

 

Badge

how to verify running version of log4j ?

Badge

YES!  How do we install the patch.  That is the question….

Badge

https://community.commvault.com/technical-q-a-2/log4j-been-used-in-commvault-1985

 

Here is the link to get the patch, which I have installed.  I need to document and verify the version - how do I do that?

Badge

@Vinny, After applying the patch, right click on the server that was patched and then right click, go to properties and then version and the hotfix shows up.

Badge

Installed patch but still being detected as vulnerable, and when i check:

 

C:\Program Files\Commvault\ContentStore\Base\vmheartbeatmon\zookeeper\lib

 

I still see:

 

log4j-1.2.16.jar

 

Shouldn’t it remove this?

Userlevel 5
Badge +11

hi @nightspd 

 

Log4j v1.x is not impacted by this vulnerability so you may still see lingering files for this older version. Commvault is actively looking to upgrade these too although current priority is to patch all log4j v2.0-2.14 binaries. 

Userlevel 7
Badge +23

FYI all, we have a new article created to discuss all concerns about this vulnerability.

I’m going to close this thread off as we want to make sure we are all talking to each other and benefiting from the collective wisdom :nerd: