Skip to main content
commvault.com commvault.com
Answer

server scanned hot for log4j after upgrade

  • January 7, 2022
  • 4 replies
  • 530 views
W
Novice
Forum|alt.badge.img

I upgraded my CommServ to 11_20_85 and I read that this would remediate the log4j vulnerability. So I had the IA folks rescan the server and it came back hot and this is the path they sited. E:\ProgramFiles\Commvault\ContentStore\CVCIEngine\CvPreviewHome\webapps\CvContentPreviewGenApp\WEB-INF\lib\log4j-1.2.17.jar - they are advising to upgrade to a version of Apache Log4j

Best answer by Aplynx

Please take a look at this thread:

CVE-2021-4104: The Commvault software does not use the JMSAppender module and, therefore, the vulnerability about log4j 1.x versions does not affect any Commvault products.

    4 replies

    Aplynx
    Vaulter
    Forum|alt.badge.img+12
    • AplynxVaulter
    • Vaulter
    • Answer
    • January 7, 2022

    Please take a look at this thread:

    CVE-2021-4104: The Commvault software does not use the JMSAppender module and, therefore, the vulnerability about log4j 1.x versions does not affect any Commvault products.

    Liam
    MichaelCapon
    YYZ
    W
    Novice
    Forum|alt.badge.img
    • Will PatrickNovice
    • Author
    • Novice
    • January 7, 2022

    Thanks, I’ll relay this to our IA folks

    W
    Novice
    Forum|alt.badge.img
    • Will PatrickNovice
    • Author
    • Novice
    • January 7, 2022

    Out of curiosity can this jar file be deleted.

    Mike Struening
    Vaulter
    Forum|alt.badge.img+22

    @Will Patrick , I wouldn't delete anything.  We likely use it for valid purposes, just not the vulnerable aspect/portion.

    https://www.linkedin.com/in/michael-struening
    Terms & ConditionsCookie settingsAccessibility statement