Updated Commvault's Edge Server offers users the chance to view and access their backups from mobile devices, a trick it enables in part by using a web server.

But version 10 R2 of that server has a problem: it “deserializes untrusted, user-provided cookie data, resulting in arbitrary OS command execution with the web server's privileges.”

This isn't going to happen by accident: the CERT notice of the problem says a “A remote, unauthenticated attacker can provide specially crafted cookie data” to corrupt the web server.

But there's no fix as yet and the suggested workaround - “only allow connections from trusted hosts and networks” - is a nonsense because one usage scenario for Edge Server is allowing users of mobile devices to access backups. A stolen mobile device will look just like a trusted host and network, especially in the minutes or hours between a device's disappearance and the loss being reported. Commvault's site is currently silent on the matter. ®

Updated to add

A hotfix is now available to patch the aforementioned security vulnerability.