Solved

Apache Vulnerability CVE-2022-42889

  • 18 October 2022
  • 23 replies
  • 1069 views

Badge +1

Hello,

 

This recent vulnerability has been detected. It seems to be a vulnerability in Apache Commons Text.

The affected versions of Apache Commons Text are 1.5 to 1.9. 

 

Does this affect Commvault too?

icon

Best answer by Mike Struening RETIRED 19 October 2022, 18:23

View original

23 replies

Badge

From the release documentation, Looks like it was in the January 2023 update - 11.24.86

Update commons-text library to the latest version to address CVE-2022-42889 concerns.

6640, 6641, 6642

Badge +1

Hello Onno,

 

yes, i would be glad to receive an answer.

 

Hello @Damian Andre ,

 

can you tell me, if there is any update now for   11.24   Form ID 5772   ETA?

 

And do we have any news about the problem regarding commons-text?

\Program Files\Commvault\ContentStore\AdminConsole\WEB-INF\lib\commons-text-1.10.0.jar

\Program Files\Commvault\ContentStore\CustomReportsEngine\WEB-INF\lib\commons-text-1.9.jar

 

Thanks Tobi

Userlevel 7
Badge +19

@Tobi unfortunately Mike doesn't work at Commvault any longer, but I think @Damian Andre can provide an answer to your question. 

Badge +1

Hello Mike,

 

do we have any update now for   11.24   Form ID 5772   ETA?

 

And do we have any news about the problem regarding commons-text?

\Program Files\Commvault\ContentStore\AdminConsole\WEB-INF\lib\commons-text-1.10.0.jar

\Program Files\Commvault\ContentStore\CustomReportsEngine\WEB-INF\lib\commons-text-1.9.jar

 

Userlevel 7
Badge +23

For 11.24, it’s Form ID 5772.  Still in progress, but on its way (doesn’t show an ETA).

Badge

@Mike Struening As LTS will 11.24 be getting this hotfix? Just I don’t see it in the December 11.24.78 release - unless I missed it?

Userlevel 7
Badge +23

You beat me to the punch!  Keep me posted 😎

Badge

Thanks Mike but after upgrading to 11.28.35 I see it only updated in AdminConsole, not in CustomeReportsEngine.  Will open a ticket.

 

\Program Files\Commvault\ContentStore\AdminConsole\WEB-INF\lib\commons-text-1.10.0.jar

\Program Files\Commvault\ContentStore\CustomReportsEngine\WEB-INF\lib\commons-text-1.9.jar

Userlevel 7
Badge +23

@EndUser it’s in 11.28.34 (Form 3184) which will be included in the next official release in December.

If you need the details for another Feature Release, let me know.

Badge

How is this resolved? Documentation says there will be a future update. 

https://documentation.commvault.com/2022e/essential/146231_security_vulnerability_and_reporting.html

CV_2022_10_1: Remote Code Execution Vulnerability in Apache Common Text

Advisory ID: CV_2022_10_1

External Reporting ID: CVE-2022-42889

Issued On: October 18, 2022

Updated On: October 18, 2022

Severity: High

Affected Products

The vulnerability does not affect Commvault products.

Resolution

As a precautionary measure, we are upgrading the Apache Commons Text version in our product. The updates will be available in an upcoming Maintenance Release.

Badge

Yep, Rapid7 also sees this component as vulnerable, if it’s not used, remove it!  Commvault are certainly not alone in leaving components behind even after they no longer use them… If that is in fact the case that it’s no longer used, as others have said, compliance just want to see green ticks!
 

Apache Commons Text jars within the vulnerable version range found:

  • D:\Program Files\Commvault\ContentStore\AdminConsole\WEB-INF\lib\commons-text-1.9.jar
Userlevel 7
Badge +19

Not sure if it is part of the Q&A process but having a test setup that is scanned every week by a software vulnerability manager could be something to add to the process. Just to make sure vulnerable packages and libraries are identified automatically so they can be addressed pro-actively. 

Badge +1

Hi @Mike Struening , thanks for the advice. I will address this internally and to Commvault.

Userlevel 7
Badge +23

@Patrick Dijkgraaf , @Andrew Kooijman , it might be worth opening a support case for this to get it escalated to dev to address quicker.

As @Onno van den Berg said, we are upgrading our 3rd party components, though any input that can assist with priority helps!!

Userlevel 7
Badge +19

I totally agree! Most obvious components are being updated often, but others are are being forgotten. Also even though Commvault doesn't use the specific function, library or feature than it might still show up in the results of security scans. For us this is not a problem because we can defend it easily, but for others it's harder because management looks for smileys and lack proper knowledge to interpreter the actual implementation and/or vulnerability. 

Userlevel 3
Badge +8

Hmmm… If it’s not used, it should be safe to remove I’d think.

Better yet, if it’s not used, why is it (still) installed at all?

No problem in installing/using 3rd party software along with Commvault, but it should not be left lingering unmaintained/vulnerable. I think with log4j we had a similar issue where old versions were left behind… :-(

Userlevel 7
Badge +23

@rbusscher we use Apache products, but not the product in this vulnerability.

@Patrik , I’d err on the side of ‘no’, though the best bet is to get support to take a look and engage dev.  False alerts are annoying for sure.

 

Userlevel 3
Badge +8

Hi, If this is not used, can it be safety removed? 
It is generating red alerts for at least one customer. 

Badge

Nessus report scan found this:

 

Badge

Our CV environment is using Apache for Command Center. So why CV saying we are not using Apache in our products? @Mike Struening 

Userlevel 7
Badge +23

Anytime!

Badge +1

Hi Mike, I think this will do. Thanks for you answer!

Userlevel 7
Badge +23

Hi @Andrew Kooijman !

I looked into this and found that we are not using this Apache product and are not vulnerable to this.

Let me know if you have any further questions!

Reply