Statement on Text2shell RCE vulnerability (CVE-2022-42889)

Avatar

Version Française

Background

On October 18, 2022, it was reported that one of the Apache modules used in OL Connect is vulnerable to exploits that could result in arbitrary code execution or contact with remote servers. The vulnerability exists in versions 1.5 to 1.9 of the Apache Commons Text module, with OL Connect 2022.1 using version 1.9 of that module. Older versions of Connect also use vulnerable versions of the module.

Severity

Our R&D department has assessed the potential risk in OL Connect. Their investigation shows that the vulnerability is in the org.apache.commons.text.StringSubstitutor class (ref: https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/).

OL Connect does not use this class. It does use the WordUtils and StringEscapeUtils classes from the same module, but those classes do not use the vulnerable class either.

OL Connect is therefore not impacted by this vulnerability.

Corrective measures

To completely eliminate the threat and prevent it from being flagged by security monitoring systems, OL Connect 2022.2 (slated for release in November 2022) will be using version 1.10 of the Apache Commons Text module.

Tagged in: Apache, CVE-2022-42889, Text2shell, Vulnerability



Leave a Reply

Your email address will not be published. Required fields are marked *

All comments (2)

  • John Price

    Hi Philippe. Not every has upgraded to 2022.1, indeed many are several releases behind.

    Does the above apply to earlier releases of Connect?

    And by “Connect” does this apply to all products of the Connect family?

    • Philippe Fontan

      Versions of OL Connect prior to 2022.1 are using either the same version of the affected Apache module, or some older version that is also affected. So the same recommendation to update to the upcoming 2022.2 version applies.

      And yes, “OL Connect” means the entire OL Connect product family (except for the Workflow module, which isn’t written in Java).