As maybe know the last day’s a lot of actions needs to performed regarding the Log4j vulnerbility. Is this also been used in the Commvault software?
If so is there a patch/fix upcoming?
Best answer by Stuart Painter
View originalAs maybe know the last day’s a lot of actions needs to performed regarding the Log4j vulnerbility. Is this also been used in the Commvault software?
If so is there a patch/fix upcoming?
Best answer by Stuart Painter
View originalThere is a KB article posted in MA, but it says that v1 isn’t affected; it was last updated nearly two days ago, though.
Thanks Brock, although I’m not sure that list is complete. This server has multiple log4j JAR files and it doesn’t have those packages installed. Hopefully it’s not used in these, either.
C:\>dir /s E:\*log4j*.jar
Volume in drive E is Server Applications
Directory of E:\Program Files\Commvault\ContentStore\CVAnalytics\DataCube\app\webapps\server\WEB-INF\lib
06/22/2021 05:12 AM 481,403 apache-log4j-extras.jar
06/22/2021 05:13 AM 525,106 log4j.jar
06/22/2021 05:14 AM 16,710 slf4j-log4j12.jar
3 File(s) 1,023,219 bytes
Directory of E:\Program Files\Commvault\ContentStore\CVCIEngine\CvPreviewHome\app\webapps\server\WEB-INF\lib
06/22/2021 05:12 AM 481,403 apache-log4j-extras.jar
06/22/2021 05:13 AM 525,106 log4j.jar
06/22/2021 05:14 AM 16,710 slf4j-log4j12.jar
3 File(s) 1,023,219 bytes
Directory of E:\Program Files\Commvault\ContentStore\CVCIEngine\CvPreviewHome\webapps\CvContentPreviewGenApp\WEB-INF\lib
11/03/2021 05:29 PM 525,110 log4j-1.2.17.jar
1 File(s) 525,110 bytes
Total Files Listed:
7 File(s) 2,571,548 bytes
For what it’s worth, a scan of a server with the Cloud Apps package installed didn’t find any results for *log4j*.jar.
The developer of log4j said (on Friday) that 1.x is not vulnerable, via twitter.
Log4j 1.x does not offer a look up mechanism. Log4j 1.x sends an event encapsulating a string message to a JMS server. That is it. The attacker can supply whatever string he chooses but it remains a String. So not the same. At all.
There is official fix out for different versions, kindly check out with CommVault support.
Thanks!
Hello,
in this case the agents for Oracle and SQL are affected. Would it work if I install the updates on the CommServer and then run an update on all Oracle and SQL agents or do the packages need to be deployed to each Oracle client ?
The vulnerability should be fixed when the CommServe gets the update.
The media agents are not mentioned here. Do they also need the update ?
it is recommended to push it on all…. SQL and Oracle systems will be affected one if they are using log4j version 2
better to put it on all and do half work :)
Hello
All right, thanks. Then I will run the updates on the Media Agents and Commvault web server as well and finally run an update on all Oracle and SQL clients.
Once I install the update the Commvault services will shut down once and then start up again after the update.
Is the update then also immediately available for the SQL and Oralce or do I have to consider something else ?
We are on feature release version 11.24.21 for CS + MA and Clients .
Not using cloud apps but have MSSQL and Oracle iDataagent for backups and recovery .
How to check if we are using Database archiving, data masking, and logical dump backup?
Do i need to upgrade clients if Iam taking MSSQL and Oracle idataagent based backups ?
Any upgrade required for CS and MA ?
Hello Everyone ,
How do i check if we are using Database archiving, data masking,logical dump backup and table level restore . we have many clients which has Oracle and MSSQL agent installed but is there any way or report to identify if below mentioned features are in use or not --
Oracle agent - Database archiving, data masking, and logical dump backup
Microsoft SQL Server agent - Database archiving, data masking, and table level restore
Hello Everyone ,
How do i check if we are using Database archiving, data masking,logical dump backup and table level restore . we have many clients which has Oracle and MSSQL agent installed but is there any way or report to identify if below mentioned features are in use or not --
Oracle agent - Database archiving, data masking, and logical dump backup
Microsoft SQL Server agent - Database archiving, data masking, and table level restore
The 11.24 download bundle fix for Log4j include HotFixes 4551 4552 & 4553 Im on the required 11.24.23 version but when I click download latest fixes for currnet version and then run an update it doesnt install them we have clients with Cloud apps, Oracle and SQL but it says they are up to date
Any news about the used MongoDB + Tomcat products on CommVault 11.24.23 ?
“MongoDB Atlas Search” is the only product of MongoDB that is vulnerable: https://www.mongodb.com/blog/post/log4shell-vulnerability-cve-2021-44228-and-mongodb
Iam using CV Oracle and Microsoft SQL agents(11.24.21) for backups and recovery but not using Database archiving, data masking, logical dump backup and table level restore . Do i need to follow this guidelines or since Iam not using any of these features i don't have to take any action in my backup environment ? Please clarify .
Iam using CV Oracle and Microsoft SQL agents(11.24.21) for backups and recovery but not using Database archiving, data masking, logical dump backup and table level restore . Do i need to follow this guidelines or since Iam not using any of these features i don't have to take any action in my backup environment ? Please clarify .
I am also not pretty sure about the Cloud apps packages whether it includes the Azure blob storage.. We too don't have Oracle and SQL features as mentioned in the vulnerability..
Hey all, FYI I created a sticky article with the latest info here. If you have any questions, please discuss there so everyone can benefit!
FYI we have a new article to discuss this concern:
I’ll close this off as we want to keep all discussions together for everyone’s collective benefit
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.