Skip to main content
commvault.com commvault.com
Solved

Tomcat Vulnerability CVE-2024-52316

  • November 19, 2024
  • 6 replies
  • 1214 views
P
Byte
Forum|alt.badge.img+7

Hi,

We’re running 11.32.73.
The Tomcat version used have at least two vulnerabilities, CVE-2024-52316 and CVE-2024-38286.
When checking the windows service it says it’s version 10.1.8. When checking the catalina.jar file it shows version 10.1.19.
Still we need to get past 10.1.30 to fix CVE-2024-52316 which have the status Critical.
When do you plan to update the Tomcat version?

Best answer by Blaine Busler

@PatricG

A Tomcat update to 10.1.31 has already been tested and is tentatively scheduled for release with 11.32.75.

In any case, we do not configure Tomcat to use a custom ServerAuthContext, so the Commvault Tomcat Service is not impacted by CVE-2024-52316.

View original
Did this answer your question?

6 replies

B
Vaulter
Forum|alt.badge.img+3
  • Blaine BuslerVaulter
  • Vaulter
  • 11 replies
  • Answer
  • November 19, 2024

@PatricG

A Tomcat update to 10.1.31 has already been tested and is tentatively scheduled for release with 11.32.75.

In any case, we do not configure Tomcat to use a custom ServerAuthContext, so the Commvault Tomcat Service is not impacted by CVE-2024-52316.

Scott Moseman
J
J
5 people like this
  • Scott Moseman
    Scott Moseman
  • J
    Jacek Piechucki
  • J
    Javier
  • P
    PaulG
  • M
    mihaib200
T
Byte
Forum|alt.badge.img+6
  • TP_Erickson
  • Byte
  • 23 replies
  • November 19, 2024

we are running into a similar vulnerability where our security team is seeing a plugin

“libcurl 7.32.0<8.9.1 DoS (CVE-2024-7264)”

@Blaine Busler - Im assuming the that this is the same issue? right now my enviroment is on 11.32.69 and it looks like upgrading it to 11.32.73 wont to much?🤷

B
Vaulter
Forum|alt.badge.img+3

@TP_Erickson if you’re seeing that reported against Tomcat (basically everything in Commvault’s Apache folder), its likely a false positive. Tomcat doesn’t use libcurl, as the Tomcat devs discuss here.

 

P
Byte
Forum|alt.badge.img+7
  • PatricG
  • Author
  • Byte
  • 25 replies
  • November 20, 2024

@Blaine Busler Thank you for the quick response. I read it when you answered though I did not have time to answering it my self at the time being.

H
Bit
Forum|alt.badge.img
  • HEI
  • Bit
  • 1 reply
  • November 29, 2024

@Blaine Busler Thanks you very much for information, but do you have date about disponibility of release 11.32.75 ?

J
Vaulter
Forum|alt.badge.img+11
  • JavierVaulter
  • Vaulter
  • 241 replies
  • December 2, 2024

If we check the regular release schedule for MRs, we can see we normally release a new one by first week of the month = https://documentation.commvault.com/2023e/expert/list_of_maintenance_releases_for_commvault_platform_release_2023e.html

Following this trend, I would imagine MM77 to be available between this and next week. It will include all the enhancements from MR75 including the Tomcat update

Onno van den Berg
1 person likes this
  • Onno van den Berg
    Onno van den Berg

Reply


Most helpful members this week

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings