Security Announcement on CVE-2022-42889

We will update this announcement with new details as they emerge from our analysis. Please check back periodically.

Last update: October 27, 2022 – 6:30 PM CET

 

CVE-2022-42889 is a new critical security vulnerability with the score 9.8. More official details can be found here.

In short, Apache Commons Text is vulnerable to remote code execution (RCE) due to insufficient default restrictions on the dynamic evaluation of ${...} strings during variable interpolation with the StringSubstitutor API.

For this vulnerability to be exploited, the component has to have a dependency, either direct or transient, to the vulnerable library and to explicitly use the vulnerable API. We have carried out a risk analysis for all of our product lines. These are our findings and recommendations:

enaio® (all supported versions: 9.10, 10.0, 10.10)

Although several enaio® components have transient dependencies to the Apache Commons Text library, none of them use the vulnerable StringSubstitutor API. Therefore, there is no exploitable attack vector and enaio® is not affected.

As always, we will update these dependencies in the upcoming regular patch cycles as a precaution and to prevent false positives in security scans.

The patches for enaio® gateway, as a front-facing service, are already available:

  • version 9.10: osgateway_hotfix.exe, version 9.10 hotfix 27

  • version 10.0: osgateway_hotfix.exe 10.0.11

  • version 10.10: osgateway_hotfix.exe 10.10.5

Update dated October 27, 2022

After installing these hotfixes, issues with NTLM and the display of dashlets may occur. Therefore, these have been withdrawn. Please refer to our current release warning for more information.

yuuvis® RAD (all supported versions: 7.16 LTS, 8.x)

Not affected.

yuuvis® Momentum (all supported versions: 2020 Winter eLTS, 2021 Winter LTS, 2022 Autumn)

Although several yuuvis® Momentum components have transient dependencies to Apache Commons Text library, none of them use the vulnerable StringSubstitutor API. Therefore, there is no exploitable attack vector and yuuvis® Momentum is not affected.

As always, we will update these dependencies in the upcoming regular patch cycles as a precaution and to prevent false positives in security scans.