Skip to main content
commvault.com commvault.com

Last week one of our customers asked us if Commvault was using Python as they were investigating the vulnerability CVE 2015-20107. I found through another community post that Metrics servers or CommServes with metrics package are using Python.

Python 3 usage on Commserve

All versions of Python are currently vulnerable (up to latest release 3.10.4) so in-place patching of Python will no resolve this vulnerability in Python.

Is Commvault vulnerable and what workarounds and/or mitigations are recommended?

@AnyLinQ_Support , I’m not aware of this exact CVE and am not seeing much other than 1 person asking.

We do have a KB for upgrading Python:

https://kb.commvault.com/article/69232

Tagging @DMCVault in case he knows.

@AnyLinQ_Support , I’m not aware of this exact CVE and am not seeing much other than 1 person asking.

We do have a KB for upgrading Python:

https://kb.commvault.com/article/69232

Tagging @DMCVault in case he knows.

Thank you for the suggestion. I saw the manual upgrade KB as well. This will at least help when Python can be updated with a patched version.

 For the last 2 java vulnerabilities (log4j and spring4shell) the vulnerable versions were present but CV was not using them in a vulnerable way. I was hoping if anyone could tell if this is also the case as well for this CVE and if not, if there are any recommendation to temporarily mitigate.

@AnyLinQ_Support  we checked into this - we don't use the mailcap module, so we are not affected by this cve.  In the short term you can follow the kb to manually upgrade Python in case you are required to upgrade anyway.

@AnyLinQ_Support  we checked into this - we don't use the mailcap module, so we are not affected by this cve.  In the short term you can follow the kb to manually upgrade Python in case you are required to upgrade anyway.

Thank you very much for investigating. That at least resolves the issue for us regarding Commvault. 

Terms & ConditionsCookie settings