Skip to main content
commvault.com commvault.com
Answer

211214-365 | Log4J Vulnerability - Top Priority | CVLT::0001022113

  • December 14, 2021
  • 8 replies
  • 1021 views
P
Novice
Forum|alt.badge.img+3

Hi All,

 

We would like to understand the Log4J vulnerability scanning, mitigation plans for these to ensure the products are secured.

CommVault

Please let us know is there any impact or do we require any patches  or hotfix please suggest.

Commvault version V11SP11

 

Best answer by Laurent

Hi @PPC

 

Welcome to the Community.

As most others communities, make sure you read the (sticky) topics before asking. :wink:

This is already globally beeing answered, discussed, and tracked over here : 

Though you raised a case and that’s another communication channel.

8 replies

L
Novice
Forum|alt.badge.img+14
  • LaurentNovice
  • Novice
  • Answer
  • December 14, 2021

Hi @PPC

 

Welcome to the Community.

As most others communities, make sure you read the (sticky) topics before asking. :wink:

This is already globally beeing answered, discussed, and tracked over here : 

Though you raised a case and that’s another communication channel.

Mike Struening
MichaelCapon
Onno van den Berg
Community All Star
Forum|alt.badge.img+22

I think this says already enough….

Just posting something on a community forum is just not enough because it requires the customer/user to open the community. By now they also added a popup in MA but again it requires you to open MA before you receive the information.

I would expect to receive a notification (regardless of my MA settings) via mail. 

Mike Struening
L
Mike Struening
Vaulter
Forum|alt.badge.img+22

@Onno van den Berg , valid point for sure.  We DO have some tools coming around for our customer portal which will improve our ability to provide information easier, plus some enhancements to how we identify and reach out for critical issues.

This is also a tricky one in that most people are NOT impacted, and any mass messaging would result in more panic than actual remediation.

I also own our Proactive Reach outs (amongst a few dozen other areas) so I’m always happy to hear ideas and discuss.

https://www.linkedin.com/in/michael-struening
MichaelCapon
Mike Struening
Vaulter
Forum|alt.badge.img+22

I see you are being assisted on the incident opened.

If you have any further questions, please ask them on the sticky thread which is being closely monitored around the clock (and has most answers already written within).

https://www.linkedin.com/in/michael-struening
G
Novice
Forum|alt.badge.img
  • GregNovice
  • Novice
  • December 15, 2021

 

This is also a tricky one in that most people are NOT impacted,

That’s not how I took the blog/forum post. Anyone with Oracle or SQL agent is advised to update, even if they aren’t doing Archive or Table level restores.

Mike Struening
Vaulter
Forum|alt.badge.img+22

@Greg , that is correct.  You are only truly impacted if you use the Archive, masking, features.  However, we are advising updating the clients with those agents regardless because it’s entirely possible that those features get applied/utilized at some future time.

Better safe than sorry, essentially.

https://www.linkedin.com/in/michael-struening
MichaelCapon
Onno van den Berg
Community All Star
Forum|alt.badge.img+22

@Onno van den Berg , valid point for sure.  We DO have some tools coming around for our customer portal which will improve our ability to provide information easier, plus some enhancements to how we identify and reach out for critical issues.

This is also a tricky one in that most people are NOT impacted, and any mass messaging would result in more panic than actual remediation.

I also own our Proactive Reach outs (amongst a few dozen other areas) so I’m always happy to hear ideas and discuss.

@Mike Struening not communicating at all in this situation would be a dumb decision because every organization that takes security serious is assessing all applications and external providers including SaaS to see if they need to implement measures. additionally it is also how you write it down carefully it can also take a way the need for customers to open tickets. to make it more dynamical you could also point from that mail in the direction of the community/MA portal updates. 

Mike Struening
Vaulter
Forum|alt.badge.img+22

I agree.  We should have something going out soon with the 2.16 information.

With this issue, it evolved a few times as time went on, so we’re looking to get a message out soon now that we have the 2.16 upgrade forthcoming.

https://www.linkedin.com/in/michael-struening
MichaelCapon
Terms & ConditionsCookie settingsAccessibility statement