Hi folks,
We are aware of a pair of new Zero-Day vulnerabilities tentatively listed under cve-2022-22963 and cve-2022-22965 also known as ‘spring4shell’.
We have an official page in our documentation for this situation located here. However, we can discuss late breaking updates or questions in this community thread.
Summary
Last updated May 5th, 2022, 12:28 AM EST
Commvault makes use of the Spring framework, however neither cve-2022-22963 or cve-2022-22965 apply to Commvault software or Metallic. Commvault does not not utilize the components for Spring MFC or Spring WebFlux, this means that we are not vulnerable to either exploit.
The spring framework is present in a few Commvault components - again, unaffected by the two stated vulnerabilities.
-
CVMessageQueue service (CVMessageQueue.exe), responsible for push notifications for jobs, events, and alerts. This service is deployed with the Web Console and Command Center package.
Security scanners may find the location of affected spring binaries in Commvault\ContentStore\MessageQueue\lib\optional\
-
SQL and Oracle agents
Security scanners may find DbArchiveEngine.jar which contains an older spring framework release.
Although we are not vulnerable to either exploit, updates will be made to update the Spring framework version to prevent being flagged by security scanners. This table of updates shows each maintenance release that removes binaries that can cause false positive alerts on security scanners.
Feature Release | Maintenance Release |
---|---|
11.26 | 11.26.23 |
11.25 | 11.25.32 |
11.24 | 11.24.48 |
11.23 | 11.23.59 |
11.20 | 11.20.103 |
SP16 | SP16.153 |
Update log
Update May 5th, 2022, 12:28 AM EST
- Table fully updated with all maintenance releases that update the required binaries
Update April 10th, 2022, 10:40 PM EST
- Both updates are in test
Update April 4th, 2022, 7:30 PM EST
- Reformatted post with summary
- Added fix table with form IDs (will switch out to update / MR number once available)
- Confirmed spring framework is applicable to SQL and Oracle agents (but not vulnerable)
Update April 4th, 2022, 6:40 PM EST
Some agents leverage the spring framework. Commvault leverages the framework in its .JAR form and does not leverage tomcat for these deployments and therefore is not vulnerable.
Security scanners may find the location of affected spring binaries in:
/opt/commvault/Base64/DbJars
More to come...
Update April 3rd, 2022, 11:50 PM EST
We have an official page in our documentation for this situation located here.
To reiterate, Commvault is not affected by this vulnerability. As a precaution, we are upgrading the Message Queue application to the version recommended by Spring.io in our upcoming maintenance releases.
Update March 31, 2022, 10:45 PM EST
Early investigation from our engineering team shows that we do not utilize the components for Spring MFC or Spring WebFlux, meaning that we do not appear to be vulnerable to this recent exploit.
That being said, spring binaries are present as part of the JDK framework which is leveraged by our CVMessageQueue service (CVMessageQueue.exe), responsible for push notifications for jobs, events, and alerts. This service is deployed with the Web Console and Command Center package.
Security scanners may find the location of affected spring binaries in Commvault\ContentStore\MessageQueue\lib\optional\