CVE-2022-42889: Apache Commons Text Insecure Interpolation Defaults Input Handling Arbitrary Code Execution

search cancel

CVE-2022-42889: Apache Commons Text Insecure Interpolation Defaults Input Handling Arbitrary Code Execution

book

Article ID: 252226

calendar_today

Updated On:

Products

Data Loss Prevention Enterprise Suite Data Loss Prevention

Issue/Introduction

CVE-2022-42889: Apache Commons Text Insecure Interpolation Defaults Input Handling Arbitrary Code Execution

Environment

Release: 15.8, 16.0

Resolution

DLP is not impacted as it does not use commons-text functionality (directly or indirectly), and does not allow any untrusted Java code to be executed on DLP servers.
CVE-2022-42889 - Apache Commons Text Vulnerability and Broadcom's Response

We do ship commons-text-1.8.jar, which will most likely be flagged as vulnerable by scanners, based on its version.
To prevent incorrect flagging by scanners, DLP has replaced the commons-text-1.8.jar file, with the commons-text-1.10.0.jar file in DLP 16.0 Maintenance Pack 1, which is also mentioned in the release notes.

Engineering has released a private hotfix for 15.8 MP3.
If you need this fix, open a case with Support and ask for the "Hotfix_15.8MP3_Commons_Hotfix_Server.zip" hotfix.

Feedback

thumb_up Yes

thumb_down No