Security Announcement on CVE-2022-42889

We will update this announcement with new details as they emerge from our analysis. Please check back periodically.

CVE-2022-42889 is a new critical security vulnerability with the score 9.8. More official details can be found here.

In short, Apache Commons Text is vulnerable to remote code execution (RCE) due to insufficient default restrictions on the dynamic evaluation of ${...} strings during variable interpolation with the StringSubstitutor API.

For this vulnerability to be exploited, the component has to have a dependency, either direct or transient, to the vulnerable library and to explicitly use the vulnerable API. We have carried out a risk analysis for all of our product lines. These are our findings and recommendations:

enaio® (versions: 9.10, 10.0, 10.10)

Although several enaio® components have transient dependencies to the Apache Commons Text library, none of them use the vulnerable StringSubstitutor API. Therefore, there is no exploitable attack vector and enaio® is not affected.

As always, we will update these dependencies in the upcoming regular patch cycles as a precaution and to prevent false positives in security scans.

Patches for enaio® gateway are available.

The first published patches for enaio® gateway regarding Apache Commons Text library caused problems with NTLM and dashlets and have been withdrawn: Version 9.10 Hotfix 27, 10.0.11, 10.10.5.
Install the following or a later version.

yuuvis® RAD (all supported versions: 7.16 LTS, 8.x)

Not affected.

yuuvis® Momentum (all supported versions: 2020 Winter eLTS, 2021 Winter LTS, 2022 Autumn)

Although several yuuvis® Momentum components have transient dependencies to Apache Commons Text library, none of them use the vulnerable StringSubstitutor API. Therefore, there is no exploitable attack vector and yuuvis® Momentum is not affected.

As always, we will update these dependencies in the upcoming regular patch cycles as a precaution and to prevent false positives in security scans.