commvault.com commvault.com
Solved

log4j been used in Commvault

  • 11 December 2021
  • 43 replies
  • 30456 views
Show first post
If you have a question or comment, please create a topic

43 replies

S
Badge

There is a KB article posted in MA, but it says that v1 isn’t affected; it was last updated nearly two days ago, though.

S
Badge

Thanks Brock, although I’m not sure that list is complete. This server has multiple log4j JAR files and it doesn’t have those packages installed. Hopefully it’s not used in these, either.

 

C:\>dir /s E:\*log4j*.jar
 Volume in drive E is Server Applications

 Directory of E:\Program Files\Commvault\ContentStore\CVAnalytics\DataCube\app\webapps\server\WEB-INF\lib

06/22/2021  05:12 AM           481,403 apache-log4j-extras.jar
06/22/2021  05:13 AM           525,106 log4j.jar
06/22/2021  05:14 AM            16,710 slf4j-log4j12.jar
               3 File(s)      1,023,219 bytes

 Directory of E:\Program Files\Commvault\ContentStore\CVCIEngine\CvPreviewHome\app\webapps\server\WEB-INF\lib

06/22/2021  05:12 AM           481,403 apache-log4j-extras.jar
06/22/2021  05:13 AM           525,106 log4j.jar
06/22/2021  05:14 AM            16,710 slf4j-log4j12.jar
               3 File(s)      1,023,219 bytes

 Directory of E:\Program Files\Commvault\ContentStore\CVCIEngine\CvPreviewHome\webapps\CvContentPreviewGenApp\WEB-INF\lib

11/03/2021  05:29 PM           525,110 log4j-1.2.17.jar
               1 File(s)        525,110 bytes

     Total Files Listed:
               7 File(s)      2,571,548 bytes

For what it’s worth, a scan of a server with the Cloud Apps package installed didn’t find any results for *log4j*.jar.

S
Badge

The developer of log4j said (on Friday) that 1.x is not vulnerable, via twitter.

Log4j 1.x does not offer a look up mechanism. Log4j 1.x sends an event encapsulating a string message to a JMS server. That is it. The attacker can supply whatever string he chooses but it remains a String. So not the same. At all.
So it seems this is likely all moot, anyway. Regardless, removing unused libraries from packages is a good thing.
H
Rank
Badge

There is official fix out for different versions, kindly check out with CommVault support. 

Onno van den Berg
Rank
Userlevel 7
Badge +19

@Stuart Painter / @Brock can you please make sure:

  1. this information is send via mail towards customers
  2. MA portal shows a message

Thanks!

T
Rank
Userlevel 4
Badge +15

Hello, 

in this case the agents for Oracle and SQL are affected. Would it work if I install the updates on the CommServer and then run an update on all Oracle and SQL agents or do the packages need to be deployed to each Oracle client ? 
The vulnerability should be fixed when the CommServe gets the update.
The media agents are not mentioned here. Do they also need the update ? 

H
Rank
Badge

it is recommended to push it on all…. SQL and Oracle systems will be affected one if they are using log4j version 2 

 

better to put it on all and do half work :)

T
Rank
Userlevel 4
Badge +15

Hello @Hussain

All right, thanks. Then I will run the updates on the Media Agents and Commvault web server as well and finally run an update on all Oracle and SQL clients. 
Once I install the update the Commvault services will shut down once and then start up again after the update. 
Is the update then also immediately available for the SQL and Oralce or do I have to consider something else ?

H
Rank
Badge
  1. share your environment details with CommVault support and discuss in details with them, they are helping in a very reliable manner 
  2. It is always recommended to install the hotfix on CommServer and Media agent first before pushing on client servers else there will be compatibility issue. 
  3. log4j is troublesome only if your Oracle and SQL system has its version 2 installed on it
  4. CommVault is using version 1 of log4j still it is recommending to go latest hotfix as per your service pack
  5. anything above service pack 16 has hotfix available right now, anyone running with below version needs to reach out to CommVault support for help and recommendation
Mohit Chordia
Rank
Userlevel 3
Badge +11

We are on feature release version 11.24.21 for CS + MA and Clients .

Not using cloud apps but have MSSQL and Oracle iDataagent for backups and recovery .

How to check if we are using  Database archiving, data masking, and logical dump backup? 

Do i need to upgrade clients if Iam taking MSSQL and Oracle idataagent based backups ?

Any upgrade required for CS and MA ?

 

Mohit Chordia
Rank
Userlevel 3
Badge +11

Hello Everyone ,

 

How do i check if we are using Database archiving, data masking,logical dump backup and table level restore . we have many clients which has Oracle and MSSQL agent installed but is there any way or report to identify if below mentioned features are in use or not -- 

  • Oracle agent - Database archiving, data masking, and logical dump backup

  • Microsoft SQL Server agent - Database archiving, data masking, and table level restore

 

Mohit Chordia
Rank
Userlevel 3
Badge +11

Hello Everyone ,

 

How do i check if we are using Database archiving, data masking,logical dump backup and table level restore . we have many clients which has Oracle and MSSQL agent installed but is there any way or report to identify if below mentioned features are in use or not -- 

  • Oracle agent - Database archiving, data masking, and logical dump backup

  • Microsoft SQL Server agent - Database archiving, data masking, and table level restore

D
Rank
Badge

The 11.24 download bundle fix for Log4j include HotFixes 4551 4552 & 4553 Im on the required 11.24.23 version but when I click download latest fixes for currnet version and then run an update it doesnt install them we have clients with Cloud apps, Oracle and SQL but it says they are up to date

G
Rank
Badge

Any news about the used MongoDB + Tomcat products on CommVault 11.24.23 ? 

“MongoDB Atlas Search” is the only product of MongoDB that is vulnerable: https://www.mongodb.com/blog/post/log4shell-vulnerability-cve-2021-44228-and-mongodb

Mohit Chordia
Rank
Userlevel 3
Badge +11

@Stuart Painter @Brock @M Scheepers 

Iam using CV Oracle and Microsoft SQL agents(11.24.21) for backups and recovery but not using Database archiving, data masking, logical dump backup and table level restore . Do i need to follow this guidelines or since Iam not using any of these features i don't have to take any action in my backup environment  ? Please clarify .

  • Cloud Apps package
  • Oracle agent - Database archiving, data masking, and logical dump backup
  • Microsoft SQL Server agent - Database archiving, data masking, and table level restore
A
Rank
Badge

@Stuart Painter @Brock @M Scheepers 

Iam using CV Oracle and Microsoft SQL agents(11.24.21) for backups and recovery but not using Database archiving, data masking, logical dump backup and table level restore . Do i need to follow this guidelines or since Iam not using any of these features i don't have to take any action in my backup environment  ? Please clarify .

  • Cloud Apps package
  • Oracle agent - Database archiving, data masking, and logical dump backup
  • Microsoft SQL Server agent - Database archiving, data masking, and table level restore

I am also not pretty sure about the Cloud apps packages whether it includes the Azure blob storage.. We too don't have Oracle and SQL features as mentioned in the vulnerability..

Mike Struening RETIRED
Rank
Userlevel 7
Badge +23

Hey all, FYI I created a sticky article with the latest info here.  If you have any questions, please discuss there so everyone can benefit!

 

https://www.linkedin.com/in/michael-struening
Mike Struening RETIRED
Rank
Userlevel 7
Badge +23

FYI we have a new article to discuss this concern:

 

I’ll close this off as we want to keep all discussions together for everyone’s collective benefit :nerd:

https://www.linkedin.com/in/michael-struening
Terms & ConditionsCookie settings