Skip to main content
commvault.com commvault.com
Solved

Vulnerability Details - Product End-of-Life (EOL) Bootstrap 3.3.6

  • February 24, 2022
  • 3 replies
  • 432 views
T
Byte
Forum|alt.badge.img+5

hi,

 

we recently where discussing a few security concerns for one of our customer.

now there is a specific file located on the CS:

/webconsole/common/bootstrap/javascripts/bootstrap.min.js Bootstrap 3.3.6

this seems to be Deprecated by the provider.

and is giving a high priority alert.

 

how ever i do not see this listed in the https://documentation.commvault.com/11.26/expert/146231_security_vulnerability_and_reporting.html

 

as far as i see i do not see that this updated on their system (currently 24.34.).

 

could you provide us with an idea of when this will be upgraded through commvault?


 

kind Regards,


Thos Gieskes.

Best answer by Vsicherman

Hi Thos,

 

 The dev team is aware of this vulnerability and is working towards migrating it to Command Center with an updated version. If you were so inclined you can set an additional setting on the Web Console machine which would block access (as configured) thus mitigating risk:

 

Name: webconsoleRequestWhiteList

Path: WebConsole

Type: String

Value: .^ 

 

 Note the value is a period followed by caret symbol. I hope this helps, if you’d like more formal information surrounding timelines I’d suggest a support case be opened.

 

Kind regards,

Vance Sicherman

Commvault Support

View original
Did this answer your question?
If you have a question or comment, please create a topic

3 replies

V
Vaulter
Forum|alt.badge.img+5
  • VsichermanVaulter
  • Vaulter
  • 23 replies
  • Answer
  • February 24, 2022

Hi Thos,

 

 The dev team is aware of this vulnerability and is working towards migrating it to Command Center with an updated version. If you were so inclined you can set an additional setting on the Web Console machine which would block access (as configured) thus mitigating risk:

 

Name: webconsoleRequestWhiteList

Path: WebConsole

Type: String

Value: .^ 

 

 Note the value is a period followed by caret symbol. I hope this helps, if you’d like more formal information surrounding timelines I’d suggest a support case be opened.

 

Kind regards,

Vance Sicherman

Commvault Support

T
Byte
Forum|alt.badge.img+5
  • Thos Gieskes
  • Author
  • Byte
  • 18 replies
  • February 28, 2022

hi @Vsicherman ,

 

thank you for the provided answer, we have added the above setting in the mean time.

do you have an eta for when the change will be made by DEV?

 

kind Regards,

 

Thos Gieskes

V
Vaulter
Forum|alt.badge.img+5
  • VsichermanVaulter
  • Vaulter
  • 23 replies
  • March 25, 2022

Hi @Thos Gieskes,

 

 Afraid I don’t have specifics on the upgradation of the bootstrap file. I’d suggest a case be opened with support for more concrete and visible tracking.

 

Kind regards,

Vance Sicherman

Commvault Support

Most helpful members this week

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings