Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/114464452503908149">Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 08-May-2025 13:25:43 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a><div><a href="https://infosec.exchange/@wdormann/114458913006792356" rel="in-reply-to">in reply to</a></div></section><article><p>Oh, wow.</p><p>Only after pestering the Commvault PSIRT did they update the language of their advisory.</p><p>While it still incorrectly says that 11.38.0 - 11.38.19 are affected and that 11.38.20 is resolved (it is not), the've added a section below this misinformation to convey the actual state of the world:</p><p>11.38.20 is only patched if it has the SP38-CU20-433 and SP38-CU20-436 additional updates installed.</p><p>And 11.38.25 is only patched if it has the SP38-CU25-434 and SP38-CU25-438 additional updates installed.</p><p>I cannot think of a behavior that is more vindictive to their customers to botch language in an advisory so bad, and also to not bother bumping release versions for the fixes for a CVSS 10 EITW vulnerability.  🤦♂️</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/5021249#notice-9842606">In conversation</a><time datetime="2025-05-08T13:25:43+09:00" title="Thursday, 08-May-2025 13:25:43 JST">about 10 days ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/114464452503908149" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/114464452503908149">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/4594232">Impacted Products
Product	Platforms	Affected Versions	Resolved Version	Status
Commvault	Linux, Windows	11.38.0 - 11.38.19	11.38.20	Resolved
Resolution
This vulnerability impacts only the 11.38 Innovation Release and has been resolved in the following Innovation Update releases along with additional updates. All other versions are not affected.11.38.20, with the following additional updates:SP38-CU20-433SP38-CU20-43611.38.25, with the following additional updates:SP38-CU25-434SP38-CU25-438</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/464/450/506/092/601/original/f3c0de7a8753837f.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/464/450/506/092/601/original/f3c0de7a8753837f.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4594233">Great Job!</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/464/451/116/329/288/original/814b4ab3c55bf412.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/464/451/116/329/288/original/814b4ab3c55bf412.png</a></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 08-May-2025 13:25:43 JST Will Dormann
in reply to
Oh, wow.
Only after pestering the Commvault PSIRT did they update the language of their advisory.
While it still incorrectly says that 11.38.0 - 11.38.19 are affected and that 11.38.20 is resolved (it is not), the've added a section below this misinformation to convey the actual state of the world:
11.38.20 is only patched if it has the SP38-CU20-433 and SP38-CU20-436 additional updates installed.
And 11.38.25 is only patched if it has the SP38-CU25-434 and SP38-CU25-438 additional updates installed.
I cannot think of a behavior that is more vindictive to their customers to botch language in an advisory so bad, and also to not bother bumping release versions for the fixes for a CVSS 10 EITW vulnerability. 🤦♂️
In conversationabout 10 days ago from infosec.exchangepermalink
Attachments
1. Impacted Products Product Platforms Affected Versions Resolved Version Status Commvault Linux, Windows 11.38.0 - 11.38.19 11.38.20 Resolved Resolution This vulnerability impacts only the 11.38 Innovation Release and has been resolved in the following Innovation Update releases along with additional updates. All other versions are not affected. 11.38.20, with the following additional updates: SP38-CU20-433 SP38-CU20-436 11.38.25, with the following additional updates: SP38-CU25-434 SP38-CU25-438
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/464/450/506/092/601/original/f3c0de7a8753837f.png
2. Great Job!
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/464/451/116/329/288/original/814b4ab3c55bf412.png

Public

Embed Notice

HTML Code

Corresponding Notice