Log4J vulnerability Commvault based on Nessus scan finding.
Unsupported file version:
D:\Program Files\Commvault\ContentStore\WebConsole\WEB-INF\lib\log4j-over-slf4j-1.7.32.jar
We have updated Commvault version to 11.28.68 and other unsupported files were updated/deleted but not this one. How can it be updated to newer/supported version?
Path : \WebConsole\WEB-INF\lib\log4j-over-slf4j-1.7.32.jar
The log4j-over-slf4j library is used to remove dependencies on the actual log4j library from applications. It is not log4j, and it is not vulnerable to the security issues that affect log4j.
Any automated security scanner that performs lookups against a database of known CVEs could determine this immediately. The customer can see for themselves by comparing the “Vulnerabilities” columns of the libraries on mvnrepository:
Log4j 1.x: https://mvnrepository.com/artifact/log4j/log4j
log4j-over-slf4j: https://mvnrepository.com/artifact/org.slf4j/log4j-over-slf4j (no vulnerabilities present)
Note: We do not use any vulnerable Log4J files anymore in Commvault and We are only using Log4J 2.17.1 and above.
With Commvault Platform Release 11.30 the old ones is removed so we should be good to clean these manually if needed.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.