On October, 13th 2022 the Apache Commons Text team disclosed CVE-2022-42889 - a potentially critical vulnerability which could result in remote code execution if Apache Commons Text is configured to consume untrusted input and other conditions are met.

The VMware Security Response Center (vSRC) has been working with our various product engineering teams in an attempt to determine if any VMware products that ship with Apache Commons Text are vulnerable to exploitation via CVE-2022-42889.

Investigations have concluded, no VMware products have been found to be impacted by CVE-2022-42889 in a way that would allow for meaningful exploitation of the vulnerability. Regardless, VMware products that consume Apache Commons Text will update the package as a precautionary measure in future releases.

Change log:

October 24th 2022: Initial publication

November 14th 2022: Investigations have concluded