@PatricG
A Tomcat update to 10.1.31 has already been tested and is tentatively scheduled for release with 11.32.75.
In any case, we do not configure Tomcat to use a custom ServerAuthContext, so the Commvault Tomcat Service is not impacted by CVE-2024-52316.
we are running into a similar vulnerability where our security team is seeing a plugin
“libcurl 7.32.0<8.9.1 DoS (CVE-2024-7264)”
@Blaine Busler - Im assuming the that this is the same issue? right now my enviroment is on 11.32.69 and it looks like upgrading it to 11.32.73 wont to much?
@TP_Erickson if you’re seeing that reported against Tomcat (basically everything in Commvault’s Apache folder), its likely a false positive. Tomcat doesn’t use libcurl, as the Tomcat devs discuss here.
@Blaine Busler Thank you for the quick response. I read it when you answered though I did not have time to answering it my self at the time being.
@Blaine Busler Thanks you very much for information, but do you have date about disponibility of release 11.32.75 ?
If we check the regular release schedule for MRs, we can see we normally release a new one by first week of the month = https://documentation.commvault.com/2023e/expert/list_of_maintenance_releases_for_commvault_platform_release_2023e.html
Following this trend, I would imagine MM77 to be available between this and next week. It will include all the enhancements from MR75 including the Tomcat update