Download or copy software screen. Click "Download"

Notices where this attachment appears

1. Embed this notice
   Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 08-May-2025 13:25:43 JST Will Dormann

   in reply to

   Ok, after a lenghthy call with Commvault:

   The 11.38 version of Commvault is what's referred to as the "Innovation Release" of the software, where the expectation is that "Pioneer customers" register with Commvault and are specifically approved to even see updates that are available.

   The problem with this:
   Customers who fire up a Commvault 11.38 VM through Azure or the like did not to through the front door of registering with Commvault. As such, they would NOT SEE UPDATES AVAILABLE. This was... not ideal.

   However, based on what the Commvault engineers did on the call that just ended a few minutes ago, they just have changed the backend to provide the "Additional updates" that fix CVE-2025-34028 to weirdos who use Azure such as myself.

   That is, as of about 10 minutes ago, all Commvault 11.38 users can get the fix for CVE-2025-34028 by:

   1. In Manage -> System -> Maintenance, click Download or copy software
   2. Click the Download button (and Next and Run)
   3. In Manage -> Servers, click the ⋮ under Actions and click Upgrade software
   4. Watch the software update.
   5. In Manage -> Servers, click the and click the number next toAdditional updates`
   6. Confirm that you have SP38-CU20-433 and SP38-CU20-436 (if you're runing 11.38.20) or SP38-CU25-434 and SP38-CU25-438 (if you're running 11.38.25).

   NOTE: With the "Innovation Release" (11.38) version of Commvault, the build number does NOT change with the installation of additional updates. That is, 11.38.25 is both vulnerable and not vulnerable to CVE-2025-34028, depending on whether the relevant Additional updates are installed.

   You're all welcome. 😂