CVE-2022-42889 and DX Unified Infrastructure Management (UIM/Nimsoft)
search cancel

CVE-2022-42889 and DX Unified Infrastructure Management (UIM/Nimsoft)

book

Article ID: 252458

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

CVE-2022-42889 was published in the National Vulnerability Database on 13 October, 2022.  More information can be found here.

The vulnerability is caused with the use of Apache Commons Text 1.5 through 1.9.  

Is DX UIM affected by this?

Is CABI affected by CVE-2022-42889 ? 

Environment

DX UIM 20.4.* / 23.4.*

Resolution

DX UIM 20.4.9 and DX UIM 23.4.* is not vulnerable to  CVE-2022-42889.

all UIM components are using "Apache Commons Text" version 1.10.0 which is no longer vulnerable with CVE-2022-42889


Note: CABI must be upgraded to 23.4 to avoid being scanned as vulnerable. 

 

Additional Information

For Previous versions: 

DX UIM, although an affected version of Apache Commons Text is present (1.8) and may be noticed by security scans, exploitation of the vulnerability requires the use of the StringSubstitutor API within the affected codebase.

The guidance from Apache is as follows:

  • If you rely on software that uses a version of commons-text prior to 1.10.0, you are likely still not vulnerable: only if this software uses the StringSubstitutor API without properly sanitizing any untrusted input.
  • If your own software uses commons-text, double-check whether it uses the StringSubstitutor API without properly sanitizing any untrusted input. If so, an update to 1.10.0 could be a quick workaround, but the recommended solution is to also properly validate and sanitize any untrusted input.

DX UIM does not use the StringSubstitutor API at all, and therefore cannot be exploited. We understand that automated security scans may still register the affected version(s) and we are working to prioritize the upgrade of the Apache Commons libraries to 1.10 (or higher) as part of future probe releases to avoid this.

We are also investigating the possibility of manually replacing the .jar file to avoid triggering such scans; at this time we are unsure if this would negatively impact any functionality.

 

 

Additional Information From Apache is available at the following URL:

https://commons.apache.org/proper/commons-text/security.html

Customers may sign up for Proactive Notifications for UIM using the url below. Notifications include an option to select for being notified about Security Vulnerabilities and fixes.

Sign up for Proactive Notifications to receive emails regarding important notifications, updates and release information regarding your Broadcom Software.
Powered by Wolken Software