Skip to main content
Solved

211214-365 | Log4J Vulnerability - Top Priority | CVLT::0001022113

  • 14 December 2021
  • 8 replies
  • 1003 views

Hi All,

 

We would like to understand the Log4J vulnerability scanning, mitigation plans for these to ensure the products are secured.

CommVault

Please let us know is there any impact or do we require any patches  or hotfix please suggest.

Commvault version V11SP11

 

Hi @PPC

 

Welcome to the Community.

As most others communities, make sure you read the (sticky) topics before asking. :wink:

This is already globally beeing answered, discussed, and tracked over here : 

Though you raised a case and that’s another communication channel.

I think this says already enough….

Just posting something on a community forum is just not enough because it requires the customer/user to open the community. By now they also added a popup in MA but again it requires you to open MA before you receive the information.

I would expect to receive a notification (regardless of my MA settings) via mail. 

@Onno van den Berg , valid point for sure.  We DO have some tools coming around for our customer portal which will improve our ability to provide information easier, plus some enhancements to how we identify and reach out for critical issues.

This is also a tricky one in that most people are NOT impacted, and any mass messaging would result in more panic than actual remediation.

I also own our Proactive Reach outs (amongst a few dozen other areas) so I’m always happy to hear ideas and discuss.

I see you are being assisted on the incident opened.

If you have any further questions, please ask them on the sticky thread which is being closely monitored around the clock (and has most answers already written within).

 

This is also a tricky one in that most people are NOT impacted,

That’s not how I took the blog/forum post. Anyone with Oracle or SQL agent is advised to update, even if they aren’t doing Archive or Table level restores.

@Greg , that is correct.  You are only truly impacted if you use the Archive, masking, features.  However, we are advising updating the clients with those agents regardless because it’s entirely possible that those features get applied/utilized at some future time.

Better safe than sorry, essentially.

@Onno van den Berg , valid point for sure.  We DO have some tools coming around for our customer portal which will improve our ability to provide information easier, plus some enhancements to how we identify and reach out for critical issues.

This is also a tricky one in that most people are NOT impacted, and any mass messaging would result in more panic than actual remediation.

I also own our Proactive Reach outs (amongst a few dozen other areas) so I’m always happy to hear ideas and discuss.

@Mike Struening not communicating at all in this situation would be a dumb decision because every organization that takes security serious is assessing all applications and external providers including SaaS to see if they need to implement measures. additionally it is also how you write it down carefully it can also take a way the need for customers to open tickets. to make it more dynamical you could also point from that mail in the direction of the community/MA portal updates. 

I agree.  We should have something going out soon with the 2.16 information.

With this issue, it evolved a few times as time went on, so we’re looking to get a message out soon now that we have the 2.16 upgrade forthcoming.

Reply


Terms & ConditionsCookie settings