search cancel

Apache Commons Text vulnerability

book

Article ID: 252562

calendar_today

Updated On:

Products

DX Application Performance Management

Issue/Introduction

Looking at the new Apache Commons Text vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2022-42889), I see that the restmon extension packaged with the APM Infrastructure Agent includes commons-text.jar v1.4, which is vulnerable.  Is someone looking at this, or know of a reason that it isn’t vulnerable please?

Please forward this to dev with urgency if we don't have an answer, as customers are asking.

Environment

Release : 21.3

Resolution

https://knowledge.broadcom.com/external/article?articleId=252479 APM

https://knowledge.broadcom.com/external/article?articleId=252480 AXA

https://knowledge.broadcom.com/external/article?articleId=252482 OI

https://knowledge.broadcom.com/external/article?articleId=252503 ASM

If it only affects >= 1.5 we are probably okay, as the restmon extension uses 1.4.