Skip to main content
Solved

CVE-2023-38545 - Curl 7.69 < 8.4.0 Heap Buffer Overflow


Forum|alt.badge.img+15

Hello,

We have been notified of a vulnerability in the Commvault Agents in tenable. Is there a date by which this vulnerability can be fixed with a patch?

CVE-2023-38545 - Curl 7.69 < 8.4.0 Heap Buffer Overflow

Path : /opt/commvault/Base64/libcurl.so Installed version : 8.0.1 Fixed version : 8.4.0

Regards

Thomas

Best answer by Chris Hollis

Hi @thomas.S 

You aren’t affected as per: https://access.redhat.com/security/cve/cve-2023-38545

We also don’t use SOCKS5.


I hope this helps.

Regards,

Chris ​​

View original
Did this answer your question?

10 replies

Chris Hollis
Vaulter
Forum|alt.badge.img+15
  • Vaulter
  • 333 replies
  • Answer
  • November 20, 2023

Hi @thomas.S 

You aren’t affected as per: https://access.redhat.com/security/cve/cve-2023-38545

We also don’t use SOCKS5.


I hope this helps.

Regards,

Chris ​​


Forum|alt.badge.img+15
  • Author
  • Byte
  • 168 replies
  • November 20, 2023

Hello @Chris Hollis

yes, this helped me out. Thanks. 

Regards

Thomas


KurtLO
Byte
Forum|alt.badge.img+3
  • Byte
  • 10 replies
  • January 9, 2024

What about for the agent running on Ubuntu 22.04.3? Linux FS agent is version 11.32.28


Forum|alt.badge.img+10
  • Byte
  • 77 replies
  • January 10, 2024

What about windows environment?

Does the latest release (Dec 15 2023)  11.34.x address CVE-2023-38545?  Another words did commvault update the version of the following:

 

PLUGIN OUTPUT - Path : /opt/commvault/Base64/libcurl.so 

Installed version : 7.79.0 

Fixed version : 8.4.0


Chris Hollis
Vaulter
Forum|alt.badge.img+15
  • Vaulter
  • 333 replies
  • January 10, 2024

@bc1410 

A quick search on our documentation site for CVE-2023-38545 shows: 

https://documentation.commvault.com/2024/expert/security_vulnerability_and_reporting.html

 


So it’ll be updated in an upcoming maintenance release for 11.34+


@KurtLO  same applies for 11.32

Regards,
​​​​​​​Chris

 


Forum|alt.badge.img+10
  • Byte
  • 77 replies
  • January 10, 2024

Thank YOU!


Erase4ndReuseMedia
Byte
Forum|alt.badge.img+13

Hi @Chris Hollis 

Would you happen to know when we can expect the Maintenance Release which includes the upgraded cURL component?

 


Erase4ndReuseMedia
Byte
Forum|alt.badge.img+13

Apparently, the cURL component was upgraded to 8.4.0 as part of 11.32.36, but seemingly wasn’t really advertised anywhere. 

@Amanda Tesla - if the above is correct, would it be possible to have the CV_2023_11_2 advisory updated to note that the cURL components were upgraded? And can we have a “Give feedback” link on the Security Advisory pages? (please)


Amanda Tesla
Vaulter
Forum|alt.badge.img+4

@Erase4ndReuseMedia We’ve updated the security advisory notice: https://documentation.commvault.com/securityadvisories/CV_2023_11_2.html.

I told the Dev team about your request for a feedback button on the security advisory site. They will look into adding this feature. We think it’s a good idea. :)  Hope this helps!


Erase4ndReuseMedia
Byte
Forum|alt.badge.img+13

Thank you @Amanda Tesla, it’s greatly appreciated!


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings