Is commvault effected by the LOG4j vulnerability.
When yes, is there a patch available
When no is there a link to de official statement of Commvault telling so.
Greets
Nanco de Cortie
If you have a question or comment, please create a topic
+14- Vaulter
Hi
I’d suggest checking this thread:
We do have an official statement published here: https://documentation.commvault.com/v11/essential/146231_security_vulnerability_and_reporting.html
Best Regards,
Michael
+10- Novice
Iam using CV Oracle and Microsoft SQL agents(11.24.21) for backups and recovery but not using Database archiving, data masking, logical dump backup and table level restore . Do i need to follow this guidelines or since Iam not using any of these features i don't have to take any action in my backup environment ? Please clarify .
- Cloud Apps package
- Oracle agent - Database archiving, data masking, and logical dump backup
- Microsoft SQL Server agent - Database archiving, data masking, and table level restore
+14- Vaulter
Hey
Even though you’re not specifically using these features, It is still possible that the affected binaries are still present in your servers here.
To mitigate any risk here, I would still suggest to Download and install the following updates from the Commvault store for your Feature Release on the affected client computers.
| Feature Release | Minimum Maintenance Release Required | Update |
|---|---|---|
| 11.25 | ||
| 11.24 | ||
| 11.23 | ||
| 11.22 | ||
| 11.21 | ||
| 11.20 | ||
| SP16 |
Best Regards,
Michael
+10- Novice
I have approx 300+ clients which has SQL or Oracle idataagent configured . We are currently at level 11.24.21 for CS + MA + majority of Clients .
- Do you recommend to upgrade CS from 11.24.21 to 11.24.23 , then install the fix 11.24 Log4J Fix ?
- Upgrade media agents from 11.24.21 to 11.24.23 and then install the fix 11.24 Log4J Fix ?
- Would i be able to push the fix 11.24 Log4J Fix remotely to SQL and Oracle clients similar to how we push maintenance release after upgrading CS or i need to manually install the fix on all 300+ clients after upgrading the clients to maintenance release 11.24.23 ?
Regards,Mohit
+10- Novice
Did you installed it on clients or commseve and media agents as well ?
Can we remotely install the fix to all affected clients ?
What is the procedure you took ?
- Novice
I am looking for this as well, how to download / push to affected clients via commseve .
Could you share documents with steps how to do this ?
Thanks
Kent
+22- Vaulter
- Answer
Hi
I started a new article with all of the details listed here:
- Novice
https://community.commvault.com/technical-q-a-2/log4j-been-used-in-commvault-1985
Here is the link to get the patch, which I have installed. I need to document and verify the version - how do I do that?
- Novice
@Vinny, After applying the patch, right click on the server that was patched and then right click, go to properties and then version and the hotfix shows up.
- Novice
Installed patch but still being detected as vulnerable, and when i check:
C:\Program Files\Commvault\ContentStore\Base\vmheartbeatmon\zookeeper\lib
I still see:
log4j-1.2.16.jar
Shouldn’t it remove this?
- Vaulter
hi
Log4j v1.x is not impacted by this vulnerability so you may still see lingering files for this older version. Commvault is actively looking to upgrade these too although current priority is to patch all log4j v2.0-2.14 binaries.
+22- Vaulter
FYI all, we have a new article created to discuss all concerns about this vulnerability.
I’m going to close this thread off as we want to make sure we are all talking to each other and benefiting from the collective wisdom 
https://www.linkedin.com/in/michael-struening
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.