Solved

CVE-2023-38545 - Curl 7.69 < 8.4.0 Heap Buffer Overflow

  • 17 November 2023
  • 10 replies
  • 1868 views

Userlevel 4
Badge +15

Hello,

We have been notified of a vulnerability in the Commvault Agents in tenable. Is there a date by which this vulnerability can be fixed with a patch?

CVE-2023-38545 - Curl 7.69 < 8.4.0 Heap Buffer Overflow

Path : /opt/commvault/Base64/libcurl.so Installed version : 8.0.1 Fixed version : 8.4.0

Regards

Thomas

icon

Best answer by Chris Hollis 20 November 2023, 04:26

View original

10 replies

Userlevel 6
Badge +15

Hi @thomas.S 

You aren’t affected as per: https://access.redhat.com/security/cve/cve-2023-38545

We also don’t use SOCKS5.


I hope this helps.

Regards,

Chris ​​

Userlevel 4
Badge +15

Hello @Chris Hollis

yes, this helped me out. Thanks. 

Regards

Thomas

Badge +1

What about for the agent running on Ubuntu 22.04.3? Linux FS agent is version 11.32.28

Userlevel 2
Badge +8

What about windows environment?

Does the latest release (Dec 15 2023)  11.34.x address CVE-2023-38545?  Another words did commvault update the version of the following:

 

PLUGIN OUTPUT - Path : /opt/commvault/Base64/libcurl.so 

Installed version : 7.79.0 

Fixed version : 8.4.0

Userlevel 6
Badge +15

@bc1410 

A quick search on our documentation site for CVE-2023-38545 shows: 

https://documentation.commvault.com/2024/expert/security_vulnerability_and_reporting.html

 


So it’ll be updated in an upcoming maintenance release for 11.34+


@KurtLO  same applies for 11.32

Regards,
​​​​​​​Chris

 

Userlevel 2
Badge +8

Thank YOU!

Userlevel 3
Badge +11

Hi @Chris Hollis 

Would you happen to know when we can expect the Maintenance Release which includes the upgraded cURL component?

 

Userlevel 3
Badge +11

Apparently, the cURL component was upgraded to 8.4.0 as part of 11.32.36, but seemingly wasn’t really advertised anywhere. 

@Amanda Tesla - if the above is correct, would it be possible to have the CV_2023_11_2 advisory updated to note that the cURL components were upgraded? And can we have a “Give feedback” link on the Security Advisory pages? (please)

Userlevel 3
Badge +4

@Erase4ndReuseMedia We’ve updated the security advisory notice: https://documentation.commvault.com/securityadvisories/CV_2023_11_2.html.

I told the Dev team about your request for a feedback button on the security advisory site. They will look into adding this feature. We think it’s a good idea. :)  Hope this helps!

Userlevel 3
Badge +11

Thank you @Amanda Tesla, it’s greatly appreciated!

Reply