commvault.com commvault.com
Solved

Python vulnerability CVE 2015-20107

  • 25 April 2022
  • 4 replies
  • 1383 views
A
Rank
Badge +1

Last week one of our customers asked us if Commvault was using Python as they were investigating the vulnerability CVE 2015-20107. I found through another community post that Metrics servers or CommServes with metrics package are using Python.

Python 3 usage on Commserve

All versions of Python are currently vulnerable (up to latest release 3.10.4) so in-place patching of Python will no resolve this vulnerability in Python.

Is Commvault vulnerable and what workarounds and/or mitigations are recommended?

icon

Best answer by DMCVault 26 April 2022, 17:08

View original
If you have a question or comment, please create a topic

4 replies

Mike Struening RETIRED
Rank
Userlevel 7
Badge +23

@AnyLinQ_Support , I’m not aware of this exact CVE and am not seeing much other than 1 person asking.

We do have a KB for upgrading Python:

https://kb.commvault.com/article/69232

Tagging @DMCVault in case he knows.

https://www.linkedin.com/in/michael-struening
A
Rank
Badge +1

@AnyLinQ_Support , I’m not aware of this exact CVE and am not seeing much other than 1 person asking.

We do have a KB for upgrading Python:

https://kb.commvault.com/article/69232

Tagging @DMCVault in case he knows.

Thank you for the suggestion. I saw the manual upgrade KB as well. This will at least help when Python can be updated with a patched version.

 For the last 2 java vulnerabilities (log4j and spring4shell) the vulnerable versions were present but CV was not using them in a vulnerable way. I was hoping if anyone could tell if this is also the case as well for this CVE and if not, if there are any recommendation to temporarily mitigate.

D
Rank
Userlevel 5
Badge +8

@AnyLinQ_Support  we checked into this - we don't use the mailcap module, so we are not affected by this cve.  In the short term you can follow the kb to manually upgrade Python in case you are required to upgrade anyway.

A
Rank
Badge +1

@AnyLinQ_Support  we checked into this - we don't use the mailcap module, so we are not affected by this cve.  In the short term you can follow the kb to manually upgrade Python in case you are required to upgrade anyway.

Thank you very much for investigating. That at least resolves the issue for us regarding Commvault. 

Terms & ConditionsCookie settings