Skip to main content

Hello,

We have been notified of a vulnerability in the Commvault Agents in tenable. Is there a date by which this vulnerability can be fixed with a patch?

CVE-2023-38545 - Curl 7.69 < 8.4.0 Heap Buffer Overflow

Path : /opt/commvault/Base64/libcurl.so Installed version : 8.0.1 Fixed version : 8.4.0

Regards

Thomas

Hi @thomas.S 

You aren’t affected as per: https://access.redhat.com/security/cve/cve-2023-38545

We also don’t use SOCKS5.


I hope this helps.

Regards,

Chris ​​


Hello @Chris Hollis

yes, this helped me out. Thanks. 

Regards

Thomas


What about for the agent running on Ubuntu 22.04.3? Linux FS agent is version 11.32.28


What about windows environment?

Does the latest release (Dec 15 2023)  11.34.x address CVE-2023-38545?  Another words did commvault update the version of the following:

 

PLUGIN OUTPUT - Path : /opt/commvault/Base64/libcurl.so 

Installed version : 7.79.0 

Fixed version : 8.4.0


@bc1410 

A quick search on our documentation site for CVE-2023-38545 shows: 

https://documentation.commvault.com/2024/expert/security_vulnerability_and_reporting.html

 


So it’ll be updated in an upcoming maintenance release for 11.34+


@KurtLO  same applies for 11.32

Regards,
​​​​​​​Chris

 


Thank YOU!


Hi @Chris Hollis 

Would you happen to know when we can expect the Maintenance Release which includes the upgraded cURL component?

 


Apparently, the cURL component was upgraded to 8.4.0 as part of 11.32.36, but seemingly wasn’t really advertised anywhere. 

@Amanda Tesla - if the above is correct, would it be possible to have the CV_2023_11_2 advisory updated to note that the cURL components were upgraded? And can we have a “Give feedback” link on the Security Advisory pages? (please)


@Erase4ndReuseMedia We’ve updated the security advisory notice: https://documentation.commvault.com/securityadvisories/CV_2023_11_2.html.

I told the Dev team about your request for a feedback button on the security advisory site. They will look into adding this feature. We think it’s a good idea. :)  Hope this helps!


Thank you @Amanda Tesla, it’s greatly appreciated!


Reply