Skip to main content
commvault.com commvault.com
Answer

VDDK Vulnerability for HyperV(AzureHCI) backups

  • August 19, 2025
  • 9 replies
  • 89 views
A
Byte
Forum|alt.badge.img+8

Hi Expert Team,

 

We are getting below Vulnerability for Nexus scan on AzureHCI nodes where VSA proxies are installed.

These VSA nodes are used only for HCI VM backups not VMWare.We have earlier raised one case 240809-322, but it was specific to VMware.

 

Now the question is how these plugins loaded when we are not doing VMware backups using this proxy.Can it be deleted manually? If deleted will it have any impact on HCI VM backups?

    

Plugin Name:

 

SQLite < 3.50.2 Memory Corruption

libcurl 7.9.1 < 8.4.0 Cookie Injection

libcurl 7.69 < 8.4.0 Heap Buffer Overflow

libcurl 7.32.0 < 8.9.1 DoS (CVE-2024-7264)

 

Plugin Output: 
  Path              : C:\Program Files\Commvault\ContentStore\Base\VMWARE\VDDK\VDDK801\bin\libcurl.dll
  Installed version : 7.84.0.0
  Fixed version     : 8.9.1

  Path              : C:\Program Files\Commvault\ContentStore\Base\VMWARE\VDDK\VDDK800\bin\libcurl.dll
  Installed version : 7.82.0.0
  Fixed version     : 8.9.1
 

Plugin Output: 
  Path              : C:\Program Files\Commvault\ContentStore\Base\VMWARE\VDDK\VDDK803\bin\libcurl.dll
  Installed version : 8.5.0.0
  Fixed version     : 8.9.1

  Path              : C:\Program Files\Commvault\ContentStore\Base\VMWARE\VDDK\VDDK702\bin\libcurl.dll
  Installed version : 7.72.0.0
  Fixed version     : 8.9.1
 

FYR:

https://documentation.commvault.com/2023e/expert/vddk_support_for_virtual_server_agent_with_vmware_01.html

 

Best answer by Erase4ndReuseMedia

250804-86

9 replies

Jon Vengust
Vaulter
Forum|alt.badge.img+9
  • Jon VengustVaulter
  • Vaulter
  • August 20, 2025

Hi ​@AbdulIkram

 

Regarding CVE-2024-7264, we do have a public security advisory available:https://documentation.commvault.com/securityadvisories/CV_2024_08_2.html

 

Regarding the other vulnerabilities, please specify which version of Commvault you’re currently running. A few of these have been patched already. For example, the heap buffer overflow vulnerability fix is available in 11.32.31 and onwards.

 

 

A
Byte
Forum|alt.badge.img+8
  • AbdulIkram
  • Author
  • Byte
  • August 20, 2025

Thank you for looking into this. We are on 11.32.106.

Rajiv
Vaulter
Forum|alt.badge.img+12
  • RajivVaulter
  • Vaulter
  • August 20, 2025

Hi ​@AbdulIkram can you confirm the access nodes are also running on 11.32.106? 

Best,

Rajiv Singal

A
Byte
Forum|alt.badge.img+8
  • AbdulIkram
  • Author
  • Byte
  • August 21, 2025

Yes complete environment is on 11.32.106.Since we are in hurry, CV case is raised 250820-179.

Erase4ndReuseMedia
Byte
Forum|alt.badge.img+14

You will need to manually clean up the VDDK folders. 

The recommendation is to Stop the Commvault Services, and delete the vulnerable VDDK folders.

A
Byte
Forum|alt.badge.img+8
  • AbdulIkram
  • Author
  • Byte
  • August 24, 2025

We tested it by deleting in UAT environment and it does not impact hyperv backups.However we are waiting for commvault to give goahead on the case to delete in production.

Erase4ndReuseMedia
Byte
Forum|alt.badge.img+14

Fair, we did the same.

Support assured us that VDDK wasn’t required on Hyper-V Access Nodes.

A
Byte
Forum|alt.badge.img+8
  • AbdulIkram
  • Author
  • Byte
  • August 25, 2025

@Erase4ndReuseMedia  thank you.I appreciate if you can you share the case number if handy?

Erase4ndReuseMedia
Byte
Forum|alt.badge.img+14

250804-86

Terms & ConditionsCookie settingsAccessibility statement