CVE-2022-42889: Apache Commons Text Insecure Interpolation Defaults Input Handling Arbitrary Code Execution
Release: 15.8, 16.0
DLP is not impacted as it does not use commons-text functionality (directly or indirectly), and does not allow any untrusted Java code to be executed on DLP servers.
CVE-2022-42889 - Apache Commons Text Vulnerability and Broadcom's Response
We do ship commons-text-1.8.jar, which will most likely be flagged as vulnerable by scanners, based on its version.
To prevent incorrect flagging by scanners, DLP has replaced the commons-text-1.8.jar file, with the commons-text-1.10.0.jar file in DLP 16.0 Maintenance Pack 1, which is also mentioned in the release notes.
Engineering has released a private hotfix for 15.8 MP3.
If you need this fix, open a case with Support and ask for the "Hotfix_15.8MP3_Commons_Hotfix_Server.zip" hotfix.