Apache vulnerable CVE-2022-34305 & CVE-2022-42252

Hello @mohammad yasin 

CVE-2022-34305 is an issue with a sample application that is distributed with Tomcat by default. Commvault does not deploy any of Apache’s sample applications, so we are not impacted by this vulnerability.

For CVE-2022-42252, if Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

Commvault is not affected because we don't use the affected settings.

In short, Commvault is not affected by either of these vulnerabilities and patching won’t affect us.

Thank you,
Collin

Hello @mohammad yasin 

Yes you can.

Private Metrics Reporting Server: System Requirements - https://documentation.commvault.com/2023e/essential/3545_private_metrics_reporting_server_system_requirements.html

Note: You cannot manually upgrade the Apache Tomcat Server. The Commvault software always updates the Tomcat server with the most recent security updates, so that the components that use the Tomcat server do not have vulnerabilities that are reported by the open source community.

Thank you,

Collin