We are pleased to announce the eleventh generation of our industry leading software! You can now experience all the latest innovations designed to provide you with a business advantage.
In addition to the new software features and usability enhancements in this release, we have rearchitected the core of our software. This includes the following:
-
The Security layer for greater access control and flexibility, and to address the needs of mobile users.
-
The Networking layer to support new transport modes, and provide greater speeds and better scaling.
-
The Database layer which has been simplified to eliminate potential bottlenecks.
-
The Indexing layer to support multiple databases as well as live edit capabilities.
Refer to the New Features list, which highlights the major new features and capabilities of our software, including a description, applicable agents, use cases, and license information. Other topics provide more information about the changes in this version of the Commvault software. For information, see Cumulative Information for Version 11.
To see new features and changes for recent service packs, go to the service pack documentation listed under What's New.
If you are a new user of our software, start by reading the Software Overview pages, and try out our software by following the Quick Start Guide.
Service Pack 16 Automatic Downloads Available on August 15, 2019
Service Pack 16 will be available for automatic downloads. Customers who would like to get the service pack immediately may download it manually using the instructions linked from Service Pack Installations. For customers that use the default schedules, the software automatically downloads on or after August 15, 2019.
Maintenance Release Schedule Change
Beginning September, 2020, maintenance releases are posted on a monthly schedule.
For more information, see Feature Release Schedule and Lifecycles.
End of Support for Windows 2008 and Windows 2008 R2
Newer versions of Windows include important performance, stability, and reliability improvements. Therefore, new installations on Windows 2008 and Windows 2008 R2 are not supported for the following Commvault platforms:
-
CommServe
-
MediaAgent
-
Web Console
-
Web Server
-
Workflow
-
Metrics Report
-
Search Engine and Analytics
Support for existing deployments is now discontinued. You should plan to upgrade the operating system in the near future, to maintain supportability and to take advantage of the improvements offered with newer versions of Windows.
The Web-Based CommCell Console Will Stop Working When Oracle Removes the Support for Java Web Start
As described in the Oracle Java SE Support Roadmap web page, Oracle will continue to provide public updates and auto updates of Java "until at least the end of January 2019 for Commercial Users". After that time, Java Web Start and the Java Plug-in will be removed and Commvault users will no longer be able to access the CommCell Console as a Java Web Start application.
Commvault users will be able to access the CommCell Console using the Java Web Start application up until the end of January 2019, and the Java deprecation warning will appear during that time. After January 2019, Commvault users will not be able to access the CommCell Console using the Java Web Start application.
After January 2019, Commvault users can access the CommCell Console only by using one of the following methods:
CommServe Server and MediaAgents Can Be a Virtual Machine
You can use virtual machines instead of physical clients for the CommServe server and MediaAgents. Virtual machines must meet the same hardware specifications as physical clients, such as CPU, RAM, IOPs, and network requirements.
We recommend that you manage extra-large backend data (up to 400 TB) with a single extra-large MediaAgent using two DDB (deduplication database) partitions. For more information, see Deduplication Extended Mode.
For other information about CommServe server and MediaAgent sizing, see the following topics:
-
Hardware Specifications for Deduplication Two Partitioned Mode
-
Hardware Specifications for Deduplication Two Partitioned Extended Mode
-
Hardware Specifications for Deduplication Four Partitioned Mode
-
Hardware Specifications for Deduplication Four Partitioned Extended Mode
For VMware using ESXi 6.0 EP6 (build 3825889), incremental backups that use application quiescing are equivalent to Full Backups
A known issue with VMware ESXi 6.0 EP6 (build 3825889) caused Changed Block Tracking (CBT) to return all blocks for a virtual disk, resulting in backups that were the total size of the virtual disk. This affected backup applications, including Commvault, when incremental backups were run using application consistent quiescing with CBT, for guest virtual machines running Windows 2008 or later.
Note: This issue did not result in data loss, but did increase the size and running time of incremental backups.
You can resolve this issue by applying the patch that was provided by VMware in VMware ESXi 6.0, Patch ESXi-6.0.0-20160804001-standard (2145667).
For more information, see the VMware KB article After upgrading to ESXi 6.0 Build 3825889, incremental virtual machine backups effectively run as full backups when application consistent quiescing is enabled (2145895).
Security
CV_2021_08_1: Authentication Bypass Vulnerabilities on CVWebService Endpoint
Advisory ID: CV_2021_08_1
External Reporting IDs: CVE-2021-34993, CVE-2021-34994, CVE-2021-34995, CVE-2021-34996, CVE-2021-34997
Issued On: August 08, 2021
Updated On: August 08, 2021
Severity: Medium
Version: 1.0
Description
The following security vulnerabilities were reported with Commvault’s CVWebService Web Server endpoint:
-
Authentication bypass on a subset of web server APIs allows unauthorized users to download files from the web server.
-
CommCell users that do not have administrator permissions can upload files to the Download Center or to Commvault App Studio.
Affected Products
This vulnerability affects the Commvault Web Server on Service Pack 16 and Feature Releases 11.20-11.24.
Resolution
To fix these vulnerabilities, download and install the following maintenance release (or a more recent release), for your Feature Release on the CommServe and Web Server.
|
Feature Release |
Maintenance Release |
|---|---|
|
11.24 |
7 |
|
11.23 |
21 |
|
11.22 |
36 |
|
11.20 |
64 |
|
SP16 |
116 |
Acknowledgments
We acknowledge Trend Micro for reporting this issue to us.
Security Vulnerability with Viewing Log files
The following hotfix packs, dated March 12, 2020, contain a fix for a security vulnerability that is related to viewing log files in the CommCell environment. With this fix, viewing log files is limited to the log files folder only.
Download and install the hotfix pack, dated March 12, 2020 (or later), for your service pack level on all the clients in the CommCell environment.
The security vulnerability does not exist in Feature release 11.19 and later releases.
|
Service Pack |
Hotfix Pack Number |
|---|---|
|
SP14 |
14.68 |
|
SP15 |
15.58 |
|
SP16 |
16.44 |
|
SP17 |
17.29 |
|
SP18 |
18.13 |
Security Vulnerability With MongoDB Versions
Commvault has reviewed the security concerns with MongoDB versions as reported in CVE-2016-6494, and recommends that you upgrade the MongoDB instance installed by the Commvault software as described in the KB article SEC0019:Security Vulnerability Issues with MongoDB Versions.
Vulnerability in 7-Zip (CVE-2018-10115 )
Our engineering team has reviewed the MS-ISAC Advisory number 2018-049 and CVE-2018-10115 reports regarding the vulnerability in 7-Zip. Based on our review, we can report that Commvault software does not use RAR compression and does not allow remote execution of the 7-Zip binaries. All versions of V10 and V11 Commvault software are unaffected by this potential vulnerability.
For more information, see KB article SEC0015: A Vulnerability in 7-Zip Could Allow for Arbitrary Code Execution (CVE-2018-10115).
Apache Tomcat Vulnerability Posted by NVD
Our engineering team has reviewed the NVD posting regarding the CVE-2017-12617 vulnerability in Apache Tomcat software, as well as the response by Apache. Based on our review, we can report that the configuration used by Commvault Tomcat installations does not include the WebDav servlet and does not alter the default value of "true" for default servlet init-param "readonly". All versions of V10 and V11 Commvault software are unaffected by this potential vulnerability.
Commvault Communication Service (CVD) Command Injection Vulnerability
We reviewed the vulnerability, identified by MetaSploit, in the CVD.exe service and addressed this issue in Version 11 Service Pack 7.
For more information, see KB article CVD0006: Commvault Communication Service (CVD) Command Injection Vulnerability.
Installing Windows Updates on All Clients in a Client Computer Group
To keep your CommCell environment secure, you must stay up-to-date with all Windows operating system updates. You can use the Install Windows Updates workflow to download and install Microsoft updates on all client computers in a client computer group. Download the Install Windows Updates workflow from Commvault Store. For instructions, see Download Workflows from Commvault Store. For details about the Install Windows Updates workflow, see Install Windows Updates Workflow.
MongoDB Security Implementation
Commvault software uses the MongoDB database program to store and to retrieve comments and replies associated with Edge Drive objects. During the installation of MongoDB, Commvault enables authentication mode and updates the default user credentials with a random password. For more information about Commvault and MongoDB, see MongoDB Security, Usage, Installation, and De-installation on the Commvault knowledge base website.
Cross-protocol attack on TLS on OpenSSL using SSLv2 (DROWN)
We have reviewed the OpenSSL Security Advisory posted on March 1, 2016, and can report that our firewall code uses TLS 1.2 and therefore is unaffected by this potential vulnerability.
For Commvault Web Console or Web Server, ensure that you are using the latest version of Microsoft IIS and that SSLv2 is disabled. Refer to the following articles for more information:
Linux Kernel Vulnerability Posted by NVD
Our engineering team has reviewed the NVD posting regarding a potential vulnerability in the Linux kernel before 4.4.1, as well as the response by RedHat. Based on our review, we can report that Commvault does not use this API in our backup and recovery code, and our File Recovery Enabler for Linux uses Centos 6.x kernels, and thus our software is not vulnerable to this potential threat.
Vulnerability Posted by Software Engineering Institute – CERT Division
Commvault acts swiftly on all security risks to verify the authenticity of the risk and any required resolution of that risk for all supported versions of our software. Our engineering team has reviewed the CERT posting and we have identified a potential security vulnerability in the Web Console through our own testing. At this time, there have been no customer reports of this issue.
This vulnerability is addressed in Version 11 SP1. It is not necessary to download or install any separate Hotfix to address it.
OpenSSL Security Advisory dated 3 Dec 2015 - Update 4 Dec 2015
OpenSSL vulnerabilities CVE-2015-1794, CVE-2015-3193, CVE-2015-3194, and CVE-2015-3195 as described in OpenSSL.org's Security Advisory do not affect Commvault software.
Stack-Based Buffer Overflow Vulnerability
Our engineering team has reviewed the CERT posting on the stack-based buffer overflow vulnerability for Commvault Edge and have addressed this issue in Version 11 Service Pack 7.
For more information, see KB article SEC0013: Stack-based buffer overflow vulnerability.
Deprecation and End-of-Life
Infinishare for SharePoint Support Is Ending
Beginning in Service Pack 14, the SharePoint Server Agent will not support Infinishare for SharePoint.
Microsoft SharePoint Storage Manager Support Is Ending
Beginning in Service Pack 14, the SharePoint Server Agent will not support Microsoft SharePoint Storage Manager.
Microsoft SharePoint Server 2007 Support Has Ended
Beginning in Service Pack 13, the SharePoint Server Agent does not support Microsoft SharePoint Server 2007.
SharePoint Server Agent Direct Database Access Support Has Ended
Beginning in Service Pack 13, the SharePoint Server Agent does not support the direct database access option.
Support for Windows Server 2012 and Windows Server 2012 R2 Has Ended
Beginning April 15, 2022, support for these products has ended for the following Commvault platforms:
-
CommServe
-
Web Server
Support for Microsoft SQL Server 2012 and Microsoft SQL Server 2014 Has Ended
Beginning April 15, 2022, support for these products has ended for the following Commvault platforms:
-
CommServe
-
Web Server
For more information on upgrading Microsoft SQL Server, see Upgrading Microsoft SQL Server Editions.