Solved

Tomcat Vulnerability CVE-2024-52316

3 months ago
November 19, 2024
6 replies
1214 views

PatricG
Byte
25 replies

Hi,

We’re running 11.32.73.
The Tomcat version used have at least two vulnerabilities, CVE-2024-52316 and CVE-2024-38286.
When checking the windows service it says it’s version 10.1.8. When checking the catalina.jar file it shows version 10.1.19.
Still we need to get past 10.1.30 to fix CVE-2024-52316 which have the status Critical.
When do you plan to update the Tomcat version?

Best answer by Blaine Busler

@PatricG

A Tomcat update to 10.1.31 has already been tested and is tentatively scheduled for release with 11.32.75.

In any case, we do not configure Tomcat to use a custom ServerAuthContext, so the Commvault Tomcat Service is not impacted by CVE-2024-52316.

View original

Did this answer your question?

Blaine Busler
Vaulter
11 replies
Answer
3 months ago
November 19, 2024

@PatricG

A Tomcat update to 10.1.31 has already been tested and is tentatively scheduled for release with 11.32.75.

In any case, we do not configure Tomcat to use a custom ServerAuthContext, so the Commvault Tomcat Service is not impacted by CVE-2024-52316.

TP_Erickson
Byte
23 replies
3 months ago
November 19, 2024

we are running into a similar vulnerability where our security team is seeing a plugin

“libcurl 7.32.0<8.9.1 DoS (CVE-2024-7264)”

@Blaine Busler - Im assuming the that this is the same issue? right now my enviroment is on 11.32.69 and it looks like upgrading it to 11.32.73 wont to much?🤷

Blaine Busler
Vaulter
11 replies
3 months ago
November 19, 2024

@TP_Erickson if you’re seeing that reported against Tomcat (basically everything in Commvault’s Apache folder), its likely a false positive. Tomcat doesn’t use libcurl, as the Tomcat devs discuss here.

PatricG
Author
Byte
25 replies
3 months ago
November 20, 2024

@Blaine Busler Thank you for the quick response. I read it when you answered though I did not have time to answering it my self at the time being.

HEI
Bit
1 reply
3 months ago
November 29, 2024

@Blaine Busler Thanks you very much for information, but do you have date about disponibility of release 11.32.75 ?

+11

Javier
Vaulter
241 replies
3 months ago
December 2, 2024

If we check the regular release schedule for MRs, we can see we normally release a new one by first week of the month = https://documentation.commvault.com/2023e/expert/list_of_maintenance_releases_for_commvault_platform_release_2023e.html

Following this trend, I would imagine MM77 to be available between this and next week. It will include all the enhancements from MR75 including the Tomcat update

Reply

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos

Reply

Related topics

Job stuck on Activeicon

Job stuck with state Waitingicon

Waiting for executions before starting a process

Running Job execution not visible in Job Execution Logicon

Job not triggeredicon

Most helpful members this week

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings