Skip to main content
Solved

LOG4j vulnerability


Forum|alt.badge.img+1

Is commvault effected by the LOG4j vulnerability.

When yes, is there a patch available

When no is there a link to de official statement of Commvault telling so.

 

Greets

Nanco de Cortie

Best answer by Mike Struening RETIRED

Hi @kent !

I started a new article with all of the details listed here:

 

View original
Did this answer your question?
If you have a question or comment, please create a topic

15 replies

MichaelCapon
Vaulter
Forum|alt.badge.img+14
  • Vaulter
  • 348 replies
  • December 13, 2021

Hi @Nanco,

I’d suggest checking this thread: 


We do have an official statement published here: https://documentation.commvault.com/v11/essential/146231_security_vulnerability_and_reporting.html

 

Best Regards,

Michael


Forum|alt.badge.img+1
  • Author
  • Bit
  • 1 reply
  • December 13, 2021

Thank You Michael

downloading 11_24 with 11.24 Log4J Fix

 


Mohit Chordia
Byte
Forum|alt.badge.img+11

 @MichaelCapon 

Iam using CV Oracle and Microsoft SQL agents(11.24.21) for backups and recovery but not using Database archiving, data masking, logical dump backup and table level restore . Do i need to follow this guidelines or since Iam not using any of these features i don't have to take any action in my backup environment  ? Please clarify .

  • Cloud Apps package
  • Oracle agent - Database archiving, data masking, and logical dump backup
  • Microsoft SQL Server agent - Database archiving, data masking, and table level restore

MichaelCapon
Vaulter
Forum|alt.badge.img+14
  • Vaulter
  • 348 replies
  • December 13, 2021

Hey @Mohit Chordia ,

 

Even though you’re not specifically using these features, It is still possible that the affected binaries are still present in your servers here.

To mitigate any risk here, I would still suggest to Download and install the following updates from the Commvault store for your Feature Release on the affected client computers.

Feature Release

Minimum Maintenance Release Required

Update

11.25

11.25.9

11.25 Log4J Fix

11.24

11.24.23

11.24 Log4J Fix

11.23

11.23.37

11.23 Log4J Fix

11.22

11.22.50

11.22 Log4J Fix

11.21

11.21.66

11.21 Log4J Fix

11.20

11.20.77

11.20 Log4J Fix

SP16

SP16.128

SP16 Log4J Fix

 

Best Regards,

Michael


Mohit Chordia
Byte
Forum|alt.badge.img+11

@MichaelCapon 

I have approx 300+ clients which has SQL or Oracle idataagent configured . We are currently at level 11.24.21 for CS + MA + majority of Clients .

  • Do you recommend to upgrade CS from 11.24.21 to 11.24.23 , then install the fix 11.24 Log4J Fix ?
  • Upgrade media agents from 11.24.21 to 11.24.23 and then install the fix 11.24 Log4J Fix ?
  • Would i be able to push the fix 11.24 Log4J Fix remotely to SQL and Oracle clients similar to how we push maintenance release after upgrading CS or i need to manually install the fix on all 300+ clients after upgrading the clients to maintenance release 11.24.23  ?

Regards,Mohit


Mohit Chordia
Byte
Forum|alt.badge.img+11
Nanco wrote:

Thank You Michael

downloading 11_24 with 11.24 Log4J Fix

 

@Nanco 

Did you installed it on clients or commseve and media agents as well ? 

Can we remotely install the fix to all affected clients ? 

What is the procedure you took ? 


Forum|alt.badge.img+1
  • Byte
  • 3 replies
  • December 13, 2021

@Mohit Chordia 

I am looking for this as well, how to download / push to affected clients via commseve .

 

 

@MichaelCapon 

Could you share documents with steps how to do this ?

 

Thanks

Kent


Mike Struening
Vaulter
Forum|alt.badge.img+23

Hi @kent !

I started a new article with all of the details listed here:

 


Forum|alt.badge.img
  • Bit
  • 2 replies
  • December 13, 2021

how to verify running version of log4j ?


Forum|alt.badge.img
  • Bit
  • 2 replies
  • December 13, 2021

YES!  How do we install the patch.  That is the question….


Forum|alt.badge.img
  • Bit
  • 2 replies
  • December 13, 2021

https://community.commvault.com/technical-q-a-2/log4j-been-used-in-commvault-1985

 

Here is the link to get the patch, which I have installed.  I need to document and verify the version - how do I do that?


Forum|alt.badge.img
  • Bit
  • 2 replies
  • December 13, 2021

@Vinny, After applying the patch, right click on the server that was patched and then right click, go to properties and then version and the hotfix shows up.


Forum|alt.badge.img+1
  • Bit
  • 3 replies
  • December 13, 2021

Installed patch but still being detected as vulnerable, and when i check:

 

C:\Program Files\Commvault\ContentStore\Base\vmheartbeatmon\zookeeper\lib

 

I still see:

 

log4j-1.2.16.jar

 

Shouldn’t it remove this?


Forum|alt.badge.img+11
  • Vaulter
  • 135 replies
  • December 13, 2021

hi @nightspd 

 

Log4j v1.x is not impacted by this vulnerability so you may still see lingering files for this older version. Commvault is actively looking to upgrade these too although current priority is to patch all log4j v2.0-2.14 binaries. 


Mike Struening
Vaulter
Forum|alt.badge.img+23

FYI all, we have a new article created to discuss all concerns about this vulnerability.

I’m going to close this thread off as we want to make sure we are all talking to each other and benefiting from the collective wisdom :nerd:

 


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings