Vulnerabilities have been identified in the Apache Commons Text. Cloudian took immediate action and has provided patches to remediate the issue. Data security is a foremost concern at Cloudian. This blog further explains the issue and outlines the steps that Cloudian has taken. Cloudian customers are strongly advised to prioritize and implement the Cloudian patch updates.
What’s is the Apache Commons Text (aka Text4Shell) vulnerability?
The originally reported CVE-2022-42889 is remote code execution (RCE) vulnerability that affects the Apache Commons Text software library. A security researcher reported that using this vulnerability, the library’s default interpolators may lead to unsafe script evaluation and can result in code execution when processing malicious input. In short, using the library with its default configurations together with the right malicious input can lead to unwanted malicious code execution.
What is the concern?
There are known exploitations for this CVSS 9.8 critical vulnerability, where it is possible that the default Lookup instances include variable interpolators that could result in code execution when processing malicious input.
The vulnerability strongly resembles the previous Log4Shell vulnerability. Thus the feeling among experts is that the vulnerability could potentially result in a similar remote code execution. Security researchers are emphasizing the need to take immediate action to update to the latest 1.10.0 version of the Apache libraries.
Cloudian’s findings and recommendations
Cloudian has responded to potential threat of exploitation of a critical remote code execution (RCE) vulnerability (CVE-2022-42889) in Apache Commons Text software library, versions 15 to 1.9 and being called the “Text4Shell” vulnerability.
- We immediately identified which Cloudian products use Apache Commons Text files:
- HyperFile and HyperIQ are not impacted as they do not use the Apache Commons Text libraries.
- HyperStore versions since version 7.2.2 implement the Apache Commons Text v1.8 library package and jar files but do not invoke the vulnerable API reported
- Upon publishing the vulnerability on October 13, 2022, Cloudian began working on investigating and mitigating through the release of a HyperStore patch by implementing the latest Apache.org updated versions for the Apache Commons Text libraries.
- A patch is actively available for supported HyperStore 7.3, 7.4, and 7.5 release versions. All HyperStore 7.2 and earlier software versions are officially no longer supported; please upgrade to one of the supported versions and apply the necessary patch.
Additional information and resources
The following Cloudian Knowledgebase Articles as Security Advisories are available for external use by Customers by accessing the Cloudian Support Portal at https://cloudian-support.force.com.