CVE-2022-42889 and DX Unified Infrastructure Management (UIM/Nimsoft)
search cancel

CVE-2022-42889 and DX Unified Infrastructure Management (UIM/Nimsoft)

book

Article ID: 252458

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

CVE-2022-42889 was published in the National Vulnerability Database on 13 October, 2022.  More information can be found here.

The vulnerability is caused with the use of Apache Commons Text 1.5 through 1.9.  

Is UIM affected by this?

Environment

UIM 

Resolution

October 26 2023 -  UIM 20.4 CU9(released in Sept 2023), all UIM components are using "Apache Commons Text" version 1.10.0 which is no longer vulnerable with CVE-2022-42889

 

October 20 2022, 9:26am US Eastern Time: Broadcom Engineering has confirmed that UIM is NOT vulnerable.

Although an affected version of Apache Commons Text is present (1.8) and may be noticed by security scans, exploitation of the vulnerability requires the use of the StringSubstitutor API within the affected codebase.

The guidance from Apache is as follows:

  • If you rely on software that uses a version of commons-text prior to 1.10.0, you are likely still not vulnerable: only if this software uses the StringSubstitutor API without properly sanitizing any untrusted input.
  • If your own software uses commons-text, double-check whether it uses the StringSubstitutor API without properly sanitizing any untrusted input. If so, an update to 1.10.0 could be a quick workaround, but the recommended solution is to also properly validate and sanitize any untrusted input.

UIM does not use the StringSubstitutor API at all, and therefore cannot be exploited. We understand that automated security scans may still register the affected version(s) and we are working to prioritize the upgrade of the Apache Commons libraries to 1.10 (or higher) as part of future probe releases to avoid this.

We are also investigating the possibility of manually replacing the .jar file to avoid triggering such scans; at this time we are unsure if this would negatively impact any functionality.

Additional Information

Change log:

October 19 2022:

12:30pm US Eastern Time: initial KB published indicating investigation is underway

October 20 2022:
9:26am US Eastern Time: updated KB to reflect that UIM is not vulnerable.
10:25am US Eastern Time:updated KB with additional details from Apache

Additional Information From Apache is available at the following URL:

https://commons.apache.org/proper/commons-text/security.html

Customers may sign up for Proactive Notifications for UIM using the url below. Notifications include an option to select for being notified about Security Vulnerabilities and fixes.

‚ÄčSign up for Proactive Notifications to receive emails regarding important notifications, updates and release information regarding your Broadcom Software.