Skip to main content
commvault.com commvault.com
Solved

Apache Vulnerability CVE-2022-23181 - Is this affecting Commvault ?

  • February 2, 2022
  • 6 replies
  • 1240 views
A
Bit
Forum|alt.badge.img+1

In relation to Apache bug CVE-2022-23181 is this affecting any Commvault releases ?

“This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.”

Best answer by Aplynx

Commvault is not affected by this CVE because we have disabled session persistence on our web applications, as described here:

https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html#Disable_Session_Persistence

 

E.g., if you check our apps’ context entries in ContentStore\Apache\conf\server.xml file, they will contain this setting:

 

<Manager pathname="" />

View original
Did this answer your question?
If you have a question or comment, please create a topic

6 replies

Aplynx
Vaulter
Forum|alt.badge.img+13
  • AplynxVaulter
  • Vaulter
  • 291 replies
  • February 2, 2022

I don’t see anything on this at the moment. Might be quicker to open a support request to get an answer.

Liam
Aplynx
Vaulter
Forum|alt.badge.img+13
  • AplynxVaulter
  • Vaulter
  • 291 replies
  • Answer
  • February 2, 2022

Commvault is not affected by this CVE because we have disabled session persistence on our web applications, as described here:

https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html#Disable_Session_Persistence

 

E.g., if you check our apps’ context entries in ContentStore\Apache\conf\server.xml file, they will contain this setting:

 

<Manager pathname="" />

Liam
A
Bit
Forum|alt.badge.img+1
  • auro12
  • Author
  • Bit
  • 1 reply
  • February 3, 2022

Thanks for the info provided @Aplynx  :ok_hand:

Aplynx
1 person likes this
  • Aplynx
    Aplynx
T
Vaulter
Forum|alt.badge.img+4
  • ThejaVaulter
  • Vaulter
  • 13 replies
  • March 4, 2022

Hello,

Need your help to understand below requirement..

Does the below Apache Tomcat vulnerabilities fixed in 11.24.34? or these are related to OS vulns?

Do we have any document to check which Vulns are fixed in which version?

 

Reported Vuls:
Apache Tomcat: Important: Information Disclosure (CVE-2016-6816)
Apache Tomcat: Low: XSS in SSI printenv (CVE-2019-0221)
Apache Tomcat: Low: Unrestricted Access to Global Resources (CVE-2016-6797)
Apache Tomcat: Low: System Property Disclosure (CVE-2016-6794)
Apache Tomcat: Important: Remote Code Execution (CVE-2017-12617)
Apache Tomcat: Low: Security Manager Bypass (CVE-2016-6796)
Apache Tomcat: Low: Security Manager Bypass (CVE-2016-5018)
Apache Tomcat default installation/welcome page installed
Apache Tomcat: Low: Timing Attack (CVE-2016-0762)

Mike Struening
Vaulter
Forum|alt.badge.img+23

@Theja , we generally have vulnerabilities list on our docs.

Here’s an example:

https://documentation.commvault.com/11.24/essential/146231_security_vulnerability_and_reporting.html

Are there any you are not seeing listed?

https://www.linkedin.com/in/michael-struening
Aplynx
Vaulter
Forum|alt.badge.img+13
  • AplynxVaulter
  • Vaulter
  • 291 replies
  • March 4, 2022

Do you have an example audit\security report that is flagging CommVault as being vulnerable to these additional Apace exploits? 

Liam

Most helpful members this week

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings