Skip to main content

Hi,

We’re running 11.32.73.
The Tomcat version used have at least two vulnerabilities, CVE-2024-52316 and CVE-2024-38286.
When checking the windows service it says it’s version 10.1.8. When checking the catalina.jar file it shows version 10.1.19.
Still we need to get past 10.1.30 to fix CVE-2024-52316 which have the status Critical.
When do you plan to update the Tomcat version?

@PatricG

A Tomcat update to 10.1.31 has already been tested and is tentatively scheduled for release with 11.32.75.

In any case, we do not configure Tomcat to use a custom ServerAuthContext, so the Commvault Tomcat Service is not impacted by CVE-2024-52316.


we are running into a similar vulnerability where our security team is seeing a plugin

“libcurl 7.32.0<8.9.1 DoS (CVE-2024-7264)”

@Blaine Busler - Im assuming the that this is the same issue? right now my enviroment is on 11.32.69 and it looks like upgrading it to 11.32.73 wont to much?🤷


@TP_Erickson if you’re seeing that reported against Tomcat (basically everything in Commvault’s Apache folder), its likely a false positive. Tomcat doesn’t use libcurl, as the Tomcat devs discuss here.

 


@Blaine Busler Thank you for the quick response. I read it when you answered though I did not have time to answering it my self at the time being.


@Blaine Busler Thanks you very much for information, but do you have date about disponibility of release 11.32.75 ?


If we check the regular release schedule for MRs, we can see we normally release a new one by first week of the month = https://documentation.commvault.com/2023e/expert/list_of_maintenance_releases_for_commvault_platform_release_2023e.html

Following this trend, I would imagine MM77 to be available between this and next week. It will include all the enhancements from MR75 including the Tomcat update


Reply