Question

Apache Vulnerability CVE-2016-8735

Forum|Forum|9 months ago
February 17, 2025
4 replies
109 views

M

+13

Mauro
Novice

This one is a bit of an old vulnerability and I see there has been an update to its status this month.

A customer has picked up this vulnerability on the Commserve. They’re running V11.28.102.

I cannot find any information on the security bulletin site. I’ve recommended that they upgrade to V11.28.137 as there is mention of some Apache vulnerability patches mentioned (but not which ones)and then run the vulnerability scanner.

Does anyone have any info or experience in this particular issue that we’ve noted?

+12

Rajiv
Vaulter
Forum|Forum|9 months ago
February 17, 2025

Hello @Mauro I would suggest you open a support ticket with us to get this investigated.

Best,

Rajiv Singal

Like

B

+3

Blaine Busler
Vaulter
Forum|Forum|9 months ago
February 18, 2025

No version of Commvault was ever affected by CVE-2016-8735.

The earliest version of Tomcat 9.x we ever used (back in SP16 or so) was 9.0.12, and the CVE only affected old milestone releases of 9.0.0, per the CVE description.

If the customer still has concerns, they will need to open a ticket and provide details from their security audit.

Like

+22

Onno van den Berg
Community All Star
Forum|Forum|9 months ago
February 18, 2025

Funny to see that their vulnerability scanner found something vulnerable in Commvault version that is already more than a year old. I hope their scanning is part of a bigger project to improve their resilience, but leaving you environment unpatched for so long is waiting for a disaster to strike…..