Apache Vulnerability CVE-2022-42889

Hi Mike, I think this will do. Thanks for you answer!

Anytime!

Our CV environment is using Apache for Command Center. So why CV saying we are not using Apache in our products? @Mike Struening 

Nessus report scan found this:

Hi, If this is not used, can it be safety removed? 
It is generating red alerts for at least one customer. 

@rbusscher we use Apache products, but not the product in this vulnerability.

@Patrik , I’d err on the side of ‘no’, though the best bet is to get support to take a look and engage dev.  False alerts are annoying for sure.

Hmmm… If it’s not used, it should be safe to remove I’d think.

Better yet, if it’s not used, why is it (still) installed at all?

No problem in installing/using 3rd party software along with Commvault, but it should not be left lingering unmaintained/vulnerable. I think with log4j we had a similar issue where old versions were left behind… :-(

I totally agree! Most obvious components are being updated often, but others are are being forgotten. Also even though Commvault doesn't use the specific function, library or feature than it might still show up in the results of security scans. For us this is not a problem because we can defend it easily, but for others it's harder because management looks for smileys and lack proper knowledge to interpreter the actual implementation and/or vulnerability. 

@Patrick Dijkgraaf , @Andrew Kooijman , it might be worth opening a support case for this to get it escalated to dev to address quicker.

As @Onno van den Berg said, we are upgrading our 3rd party components, though any input that can assist with priority helps!!

Hi @Mike Struening , thanks for the advice. I will address this internally and to Commvault.

Not sure if it is part of the Q&A process but having a test setup that is scanned every week by a software vulnerability manager could be something to add to the process. Just to make sure vulnerable packages and libraries are identified automatically so they can be addressed pro-actively. 

Yep, Rapid7 also sees this component as vulnerable, if it’s not used, remove it!  Commvault are certainly not alone in leaving components behind even after they no longer use them… If that is in fact the case that it’s no longer used, as others have said, compliance just want to see green ticks!
 

Apache Commons Text jars within the vulnerable version range found:

• D:\Program Files\Commvault\ContentStore\AdminConsole\WEB-INF\lib\commons-text-1.9.jar

How is this resolved? Documentation says there will be a future update. 

https://documentation.commvault.com/2022e/essential/146231_security_vulnerability_and_reporting.html

CV_2022_10_1: Remote Code Execution Vulnerability in Apache Common Text

Advisory ID: CV_2022_10_1

External Reporting ID: CVE-2022-42889

Issued On: October 18, 2022

Updated On: October 18, 2022

Severity: High

Affected Products

The vulnerability does not affect Commvault products.

Resolution

As a precautionary measure, we are upgrading the Apache Commons Text version in our product. The updates will be available in an upcoming Maintenance Release.

@EndUser it’s in 11.28.34 (Form 3184) which will be included in the next official release in December.

If you need the details for another Feature Release, let me know.

Thanks Mike but after upgrading to 11.28.35 I see it only updated in AdminConsole, not in CustomeReportsEngine.  Will open a ticket.

\Program Files\Commvault\ContentStore\AdminConsole\WEB-INF\lib\commons-text-1.10.0.jar

\Program Files\Commvault\ContentStore\CustomReportsEngine\WEB-INF\lib\commons-text-1.9.jar

You beat me to the punch!  Keep me posted 😎

@Mike Struening As LTS will 11.24 be getting this hotfix? Just I don’t see it in the December 11.24.78 release - unless I missed it?

For 11.24, it’s Form ID 5772.  Still in progress, but on its way (doesn’t show an ETA).

Hello Mike,

do we have any update now for   11.24   Form ID 5772   ETA?

And do we have any news about the problem regarding commons-text?

\Program Files\Commvault\ContentStore\AdminConsole\WEB-INF\lib\commons-text-1.10.0.jar

\Program Files\Commvault\ContentStore\CustomReportsEngine\WEB-INF\lib\commons-text-1.9.jar

@Tobi unfortunately Mike doesn't work at Commvault any longer, but I think @Damian Andre can provide an answer to your question. 

Hello Onno,

yes, i would be glad to receive an answer.

Hello @Damian Andre ,

can you tell me, if there is any update now for   11.24   Form ID 5772   ETA?

And do we have any news about the problem regarding commons-text?

\Program Files\Commvault\ContentStore\AdminConsole\WEB-INF\lib\commons-text-1.10.0.jar

\Program Files\Commvault\ContentStore\CustomReportsEngine\WEB-INF\lib\commons-text-1.9.jar

Thanks Tobi

From the release documentation, Looks like it was in the January 2023 update - 11.24.86

“

”