CVE-2022-42889 was published in the National Vulnerability Database on 13 October, 2022.  More information can be found here. 

The vulnerability is caused with the use of Apache Commons Text 1.5 through 1.9.  Is Automic Automation affected by this?

No components are impacted by this vulnerability.  Please see details below for those have use the Apache commons-text library:

• 12.3 Automation Engine: Not impacted
• 21.0 Automation Engine: While the Automation Engine does have a direct dependency on Apache commons-text, the affected class is not used.  The Automation Engine component will have its version of Apache commons-text updated to 1.10 in 21.0.4+hf.1- Available for download
• RA Web Service REST: While the REST solution does have a dependency on the Apache commons-text via the CXF framework, it is not affected by this vulnerability.  The REST solution had its version of Apache commons-text updated to 1.10 in RA Web Service REST release 4.6.6 - Available for download
• RA Web Service SOAP: While the SOAP solution does have a dependency on the Apache commons-text via the CXF framework, it is not affected by this vulnerability.  The SOAP solution had its version of Apache commons-text updated to 1.10 in RA Web Service SOAP release 4.6.3 - Available for download

Update: 24 October 2022: Resolution updated: No components are fully affected

Update: 20 October 2022: The core components for Automation Engine are not impacted on 12.3.  Broadcom Support and Engineering are continuing to look into if there is an impact on 21.0 as well as agents.

Update 19 October 2022: Broadcom Support and Engineering is looking into this on priority. 

Please check back on this article regularly for updates.