CVE-2022-42889 - Service Management
search cancel

CVE-2022-42889 - Service Management


Article ID: 252467


Updated On:


CA Service Catalog CA Business Service Insight CA Service Management - Service Desk Manager CA Service Management - Asset Portfolio Management CA Service Desk Manager CA IT Asset Manager CA IT Asset Manager Asset Portfolio Management CA Process Automation Base


CVE-2022-42889 was published in the National Vulnerability Database on 13 October, 2022.  More information can be found here.

The vulnerability is caused with the use of Apache Commons Text 1.5 through 1.9.  

Are the Service Management products vulnerable?


CA Service Management

All Supported Operating Systems


1.  CA Service Catalog

CA Service Catalog does not use Apache Commons Text library.  In addition, there is no reference to the 'StringSubstitutor' API in the CA Service Catalog code base. 

Therefore CA Service Catalog is NOT vulnerable to CVE-2022-42889

2.  CA Service Desk Manager (SDM)

CA Service Desk Manager is not vulnerable to CVE-2022-42889.

However, the xFlow module in 17.3 RU17 is vulnerable to CVE-2022-42889.  xFlow is NOT vulnerable for previous RU levels.

If you have CA Service Management installed, the CVE-2022-42889 vulnerability is fixed in CA Service Management  Documentation on installing RU18

Alternatively, for xFlow, you can follow the below steps to remediate the vulnerability:

a.  Stop the xFlow services
b.  Remove the following files from the xFlow installation directory


c.  Restart xFlow services

3.  CA IT Asset Manager (ITAM)

CA IT Asset Manager does not use Apache Commons Text library.  In addition, there is no reference to the 'StringSubstitutor' API in the CA IT Asset Manager code base. 

Therefore CA IT Asset Manager is NOT vulnerable to CVE-2022-42889

4. Business Service Insight (BSI)

Business Service Insight does not use Apache Commons Text library.  In addition, there is no reference to the 'StringSubstitutor' API in the Business Service Insight code base. 

Therefore Business Service Insight is NOT vulnerable to CVE-2022-42889

5. IT Process Automation (ITPAM)

IT Process Automation does not use Apache Commons Text library.  In addition, there is no reference to the 'StringSubstitutor' API in the IT Process Automation code base.  Default PAM installations do not deploy or deliver any jar files that are related to this defect.

Therefore IT Process Automation is NOT vulnerable to CVE-2022-42889

Additional Information