​@PatricG

A Tomcat update to 10.1.31 has already been tested and is tentatively scheduled for release with 11.32.75.

In any case, we do not configure Tomcat to use a custom ServerAuthContext, so the Commvault Tomcat Service is not impacted by CVE-2024-52316.

we are running into a similar vulnerability where our security team is seeing a plugin

“libcurl 7.32.0<8.9.1 DoS (CVE-2024-7264)”

​@Blaine Busler - Im assuming the that this is the same issue? right now my enviroment is on 11.32.69 and it looks like upgrading it to 11.32.73 wont to much?

​@TP_Erickson if you’re seeing that reported against Tomcat (basically everything in Commvault’s Apache folder), its likely a false positive. Tomcat doesn’t use libcurl, as the Tomcat devs discuss here.

​@Blaine Busler Thank you for the quick response. I read it when you answered though I did not have time to answering it my self at the time being.

​@Blaine Busler Thanks you very much for information, but do you have date about disponibility of release 11.32.75 ?

If we check the regular release schedule for MRs, we can see we normally release a new one by first week of the month = https://documentation.commvault.com/2023e/expert/list_of_maintenance_releases_for_commvault_platform_release_2023e.html

Following this trend, I would imagine MM77 to be available between this and next week. It will include all the enhancements from MR75 including the Tomcat update

We upgraded our Commvault infrastructure to version 11.36.46 but Tomcat version is still seems to be affected (10.1.30.0)

How can we achieve Tomcat version will be safe from this vulnerability?

Regards

Zsolt

Hi ​@Zsolt Botfa ,

As previously mentioned by Blaine;

In any case, we do not configure Tomcat to use a custom ServerAuthContext, so the Commvault Tomcat Service is not impacted by CVE-2024-52316.