CVE-2022-42889 - Service Virtualization / DevTest

Products

Service Virtualization

Issue/Introduction

CVE-2022-42889 was published in the National Vulnerability Database on 13 October, 2022. More information can be found here.

The vulnerability is caused with the use of Apache Commons Text 1.5 through 1.9. Is Service Virtualization( DevTest ) affected by this?

Environment

DevTest 10.7.x, 10.6.x and earlier

Cause

Third Party Vulnerability

Resolution

As per initial analysis, SV/DevTest is impacted by this vulnerability.

Existing Installation:

1. On Premise

For 10.6, 10.7 or 10.7.2, apply the patch to the DevTest installation. Use support credentials to login : 10.6.0 patch , 10.7.0 patch and 10.7.2 patch. Apply the patch to both Service Virtualization Server and Workstation components; follow the steps mentioned in the “README_STEPS.txt.” In the README_STEPS.txt, there are a few components to update including replacing the commons-text-1.6.jar with the commons-text-1.10.jar.
The patch is included in Service Pack 3 for DevTest 10.7.2. SP3 can be applied on top of 10.7.2 GA or 10.7.2 SP2 and can be downloaded here.
For 10.5 or lower, please upgrade to a supported version and apply the required patch.

2. Docker Images

The latest Docker images with the vulnerability fixes for different SV releases are hosted at sv-docker.packages.broadcom.com/sv.

10.6.0	virtual-service-catalog	sv-docker.packages.broadcom.com/sv/virtual-service-catalog:1.7.2.6
	lisa	sv-docker.packages.broadcom.com/sv/lisa:10.6.0.1
	portal	sv-docker.packages.broadcom.com/sv/portal:10.6.0.1
	iaam	sv-docker.packages.broadcom.com/sv/iaam:1.3.2.9
10.6.1	virtual-service-catalog	sv-docker.packages.broadcom.com/sv/virtual-service-catalog:1.7.3.9.2
	lisa	sv-docker.packages.broadcom.com/sv/lisa:10.6.1.1
	portal	sv-docker.packages.broadcom.com/sv/portal:10.6.1.1
	iaam	sv-docker.packages.broadcom.com/sv/iaam:1.3.3.5
10.6.2	virtual-service-catalog	sv-docker.packages.broadcom.com/sv/virtual-service-catalog:1.7.4.2.2
	lisa	sv-docker.packages.broadcom.com/sv/lisa:10.6.2.1
	portal	sv-docker.packages.broadcom.com/sv/portal:10.6.2.1
	iaam	sv-docker.packages.broadcom.com/sv/iaam:1.4.0.2
10.6.3	virtual-service-catalog	sv-docker.packages.broadcom.com/sv/virtual-service-catalog:1.7.4.2.2
	lisa	sv-docker.packages.broadcom.com/sv/lisa:10.6.3.1
	portal	sv-docker.packages.broadcom.com/sv/portal:10.6.3.1
	iaam	sv-docker.packages.broadcom.com/sv/iaam:1.4.0.2
10.6.4	virtual-service-catalog	sv-docker.packages.broadcom.com/sv/virtual-service-catalog:1.7.5.31.2
	lisa	sv-docker.packages.broadcom.com/sv/lisa:10.6.4.101.1
	portal	sv-docker.packages.broadcom.com/sv/portal:10.6.4.89.1
	iaam	sv-docker.packages.broadcom.com/sv/iaam:1.4.1.12.2
10.7.0	virtual-service-catalog	sv-docker.packages.broadcom.com/sv/virtual-service-catalog:1.7.6.42.4
	lisa	sv-docker.packages.broadcom.com/sv/lisa:10.7.0.168.1
	portal	sv-docker.packages.broadcom.com/sv/portal:10.7.0.70.1
	iaam	sv-docker.packages.broadcom.com/sv/iaam:1.4.2.79.1
10.7.2	virtual-service-catalog	sv-docker.packages.broadcom.com/sv/virtual-service-catalog:1.7.8.56.7
	lisa	sv-docker.packages.broadcom.com/sv/lisa:10.7.2.374.5
	portal	sv-docker.packages.broadcom.com/sv/portal:10.7.2.306.5
	iaam	sv-docker.packages.broadcom.com/sv/iaam:1.4.5.670.3
10.7.2 NGINX	virtual-service-catalog	sv-docker.packages.broadcom.com/sv/virtual-service-catalog:1.7.8.56.7
	lisa	sv-docker.packages.broadcom.com/sv/lisa:10.7.2.374.6
	portal	sv-docker.packages.broadcom.com/sv/portal:10.7.2.306.6
	iaam	sv-docker.packages.broadcom.com/sv/iaam:1.4.5.670.3

Update Images by pulling:

Follow these instructions to pull the latest docker images:

Login to sv-docker.packages.broadcom.com with valid credentials (username and token):

docker login sv-docker.packages.broadcom.com -u <USER_EMAIL> -p <ACCESS_TOKEN>

Note: To get the access token, follow the DevTest Solutions documentation.

Pull the latest image.

Please check back in this article regularly for updates.