Question

Apache vulnerable CVE-2022-34305 & CVE-2022-42252

  • 29 November 2023
  • 4 replies
  • 154 views

Badge +1

the recommendation by tomcat to solve this issue to update the version to the last recommended release,

just i need to ask if the update will effect on Commvault application or you have any concern and recommendation from your side.


4 replies

Userlevel 5
Badge +14

Hello @mohammad yasin 

CVE-2022-34305 is an issue with a sample application that is distributed with Tomcat by default. Commvault does not deploy any of Apache’s sample applications, so we are not impacted by this vulnerability.

 

For CVE-2022-42252, if Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

Commvault is not affected because we don't use the affected settings.

 

In short, Commvault is not affected by either of these vulnerabilities and patching won’t affect us.

 

Thank you,
Collin

Badge +1

can you please let me know if i can update the apached version with upgrade commvault kit

Userlevel 5
Badge +14

Hello @mohammad yasin 

Yes you can.

Private Metrics Reporting Server: System Requirements - https://documentation.commvault.com/2023e/essential/3545_private_metrics_reporting_server_system_requirements.html

Note: You cannot manually upgrade the Apache Tomcat Server. The Commvault software always updates the Tomcat server with the most recent security updates, so that the components that use the Tomcat server do not have vulnerabilities that are reported by the open source community.

 

Thank you,

Collin

Userlevel 1
Badge +2

As Collin mentioned, Commvault was never impacted by either CVE.

Additionally, all currently supported versions of Commvault deploy a Tomcat version in which those issues were addressed by Apache. As long as the latest maintenance release is installed, neither CVE is relevant anymore.

Thanks,

Blaine

Reply