Skip to main content
commvault.com commvault.com
Question

Commvault 11.32.128 log4j vulnerability

  • January 12, 2026
  • 7 replies
  • 121 views
B
Explorer
Forum|alt.badge.img+11

Hello

We just applied the latest maintenance patch to our 11.32. Commvault environment a few days ago to bring us to 11.32.128  (from 11.32.125) and I noticed this morning scans showed a log4j vulnerability.

 

Plugin Output: 
  Path              : C:\Program Files\Commvault\ContentStore\CVCIEngine\CvPreviewHome\webapps\CvContentPreviewGenApp\WEB-INF\lib\log4j-core-2.17.1.jar
  Installed version : 2.17.1
  Fixed version     : 2.25.3

  Path              : C:\Program Files\Commvault\ContentStore\MessageQueue\lib\optional\log4j-core-2.24.3.jar
  Installed version : 2.24.3
  Fixed version     : 2.25.3

 

Is there a fix or patch that Commvault will release to address this.  Maybe in the next months maintenance release?   Any input would be appreciated.

 

Thanks

BC

    7 replies

    Damian Andre
    Vaulter
    Forum|alt.badge.img+27
    • Damian AndreVaulter
    • Vaulter
    • January 12, 2026

    Hi ​@bc1410 

    Can you cite the CVE associated with the scan relating to log4j 2.17.1 and 2.24.3?

    B
    Explorer
    Forum|alt.badge.img+11
    • bc1410Explorer
    • Author
    • Explorer
    • January 13, 2026

    Sorry for the delay response ​@Damian Andre 

    Thanks for your reply as well.  

     

    So the security center plugin was this - 282519  -    https://www.tenable.com/plugins/nessus/282519

     

    The CVE appears to be - https://www.tenable.com/cve/CVE-2025-68161

    Damian Andre
    Vaulter
    Forum|alt.badge.img+27

    Ok this looks like a new CVE (late december) - I was wondering because I didn’t see any other references to this in our case system. Let me do some digging for you.

    B
    Explorer
    Forum|alt.badge.img+11
    • bc1410Explorer
    • Author
    • Explorer
    • January 14, 2026

    @Damian Andre  - Thanks so much!   

     

     

    K
    Novice
    • Kimberly MNovice
    • Novice
    • January 21, 2026

    Is there any update for this?  I also have this on my scans.

    B
    Explorer
    Forum|alt.badge.img+11
    • bc1410Explorer
    • Author
    • Explorer
    • January 21, 2026

    @Damian Andre  I Appreciate your response to my original post and help but Im sure your busy so I decided to open a support case as I had some folks in my office keep asking me about any possible resolutions or if Commvault is even affected by this vuln etc.  

    I have heard from a support rep regarding a question if the CVE was 2025-68161 which I confirmed with support.   Now Im waiting for them to reply back again with hopefully a resolution..  I will post any details once I hear from them.  

     

    Thanks

    BC

    B
    Explorer
    Forum|alt.badge.img+11
    • bc1410Explorer
    • Author
    • Explorer
    • January 22, 2026

    @Kimberly M  & ​@Damian Andre Per CV support I got the following response - 

     

    This vulnerability applies only to Apache Log4j’s Socket Appender. Commvault does not use or configure the Log4j Socket Appender in any component. Logging within Commvault is performed using Logback, and any third-party libraries that rely on Log4j are redirected to Logback appenders through bridge libraries, preventing Log4j appenders from being invoked at runtime.

    The security scan result is based solely on the presence of the Log4j library version and does not reflect an exploitable condition in Commvault. As a result, no customer action is required.

    They also mentioned that there is no config or programmatic usage of Log4j socket appender anywhere in the codebase.  

    With that info our Security team is Recasting this vulnerability on our Security Scans

     

    Thanks

    BC

      Terms & ConditionsCookie settingsAccessibility statement