CVE-2022-42889 was published in the National Vulnerability Database on 13 October, 2022. More information can be found at https://nvd.nist.gov/vuln/detail/CVE-2022-42889
A remote code execution vulnerability in Apache Commons Text string placeholder replacement class StringSubstitutor. When the class is used with defaults replacement resolvers, via StringSubstitutor.createInterpolator(), an input text attacker controlled by attacker can cause remote code execution. Other StringSubstitutor uses that supply own variable resolver are safe.
See also: https://nakedsecurity.sophos.com/2022/10/18/dangerous-hole-in-apache-commons-text-like-log4shell-all-over-again/ but note that while it is in some ways similar to the famous Log4Shell vulnerability, the usage of text substitution is not as widespread as is logging so opportunities to exploit it are reduced.
In APM the library is used by ACC component, but it is used in only safe ways with explicit variable resolver. So, there is no impact.