Is commvault effected by the LOG4j vulnerability.
When yes, is there a patch available
When no is there a link to de official statement of Commvault telling so.
Greets
Nanco de Cortie
Is commvault effected by the LOG4j vulnerability.
When yes, is there a patch available
When no is there a link to de official statement of Commvault telling so.
Greets
Nanco de Cortie
Hi
I’d suggest checking this thread:
We do have an official statement published here: https://documentation.commvault.com/v11/essential/146231_security_vulnerability_and_reporting.html
Best Regards,
Michael
Iam using CV Oracle and Microsoft SQL agents(11.24.21) for backups and recovery but not using Database archiving, data masking, logical dump backup and table level restore . Do i need to follow this guidelines or since Iam not using any of these features i don't have to take any action in my backup environment ? Please clarify .
Hey
Even though you’re not specifically using these features, It is still possible that the affected binaries are still present in your servers here.
To mitigate any risk here, I would still suggest to Download and install the following updates from the Commvault store for your Feature Release on the affected client computers.
Feature Release | Minimum Maintenance Release Required | Update |
---|---|---|
11.25 | ||
11.24 | ||
11.23 | ||
11.22 | ||
11.21 | ||
11.20 | ||
SP16 |
Best Regards,
Michael
I have approx 300+ clients which has SQL or Oracle idataagent configured . We are currently at level 11.24.21 for CS + MA + majority of Clients .
Regards,Mohit
Did you installed it on clients or commseve and media agents as well ?
Can we remotely install the fix to all affected clients ?
What is the procedure you took ?
I am looking for this as well, how to download / push to affected clients via commseve .
Could you share documents with steps how to do this ?
Thanks
Kent
Hi
I started a new article with all of the details listed here:
how to verify running version of log4j ?
YES! How do we install the patch. That is the question….
https://community.commvault.com/technical-q-a-2/log4j-been-used-in-commvault-1985
Here is the link to get the patch, which I have installed. I need to document and verify the version - how do I do that?
@Vinny, After applying the patch, right click on the server that was patched and then right click, go to properties and then version and the hotfix shows up.
Installed patch but still being detected as vulnerable, and when i check:
C:\Program Files\Commvault\ContentStore\Base\vmheartbeatmon\zookeeper\lib
I still see:
log4j-1.2.16.jar
Shouldn’t it remove this?
hi
Log4j v1.x is not impacted by this vulnerability so you may still see lingering files for this older version. Commvault is actively looking to upgrade these too although current priority is to patch all log4j v2.0-2.14 binaries.
FYI all, we have a new article created to discuss all concerns about this vulnerability.
I’m going to close this thread off as we want to make sure we are all talking to each other and benefiting from the collective wisdom
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.