Objectif Lune joins Upland Software.Learn more >
Philippe Fontan
October 21st, 2022
Version Française
On October 18, 2022, it was reported that one of the Apache modules used in OL Connect is vulnerable to exploits that could result in arbitrary code execution or contact with remote servers. The vulnerability exists in versions 1.5 to 1.9 of the Apache Commons Text module, with OL Connect 2022.1 using version 1.9 of that module. Older versions of Connect also use vulnerable versions of the module.
Our R&D department has assessed the potential risk in OL Connect. Their investigation shows that the vulnerability is in the org.apache.commons.text.StringSubstitutor class (ref: https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/).
OL Connect does not use this class. It does use the WordUtils and StringEscapeUtils classes from the same module, but those classes do not use the vulnerable class either.
OL Connect is therefore not impacted by this vulnerability.
To completely eliminate the threat and prevent it from being flagged by security monitoring systems, OL Connect 2022.2 (slated for release in November 2022) will be using version 1.10 of the Apache Commons Text module.
Tagged in: Apache, CVE-2022-42889, Text2shell, Vulnerability
Receive exclusive OL products news, tips and resources.
Your email address will not be published. Required fields are marked *
Notify me of followup comments via e-mail. You can also subscribe without commenting.
Δ
Hi Philippe. Not every has upgraded to 2022.1, indeed many are several releases behind.
Does the above apply to earlier releases of Connect?
And by “Connect” does this apply to all products of the Connect family?
Versions of OL Connect prior to 2022.1 are using either the same version of the affected Apache module, or some older version that is also affected. So the same recommendation to update to the upcoming 2022.2 version applies.
And yes, “OL Connect” means the entire OL Connect product family (except for the Workflow module, which isn’t written in Java).