EVS security updates on CVE-2022-42889 (aka Text4Shell) vulnerability
Updated 20 October 2022 - 12:00 CET
EVS is actively responding to the reported vulnerability in the Apache Commons Text library that can result in code execution when processing malicious input. We are currently conducting a product-by-product analysis to determine if any are potentially impacted by the vulnerability. This is an ongoing investigation, so please check this bulletin page frequently for updates.
CVE-2022-42889, which some have begun calling “Text4Shell,” is a vulnerability in the popular Apache Commons Text library that can result in code execution when processing malicious input. CVE-2022-42889 arises from insecure implementation of Commons Text’s variable interpolation functionality—more specifically, some default lookup strings could potentially accept untrusted input from remote attackers, such as DNS requests, URLs, or inline scripts. CVE-2022-42889 affects Apache Commons Text versions 1.5 through 1.9. It has been patched as of Commons Text version 1.10
Products under investigation or not impacted
Current investigations do not reveal usage of Apache Commons Text library in EVS products.
As this investigation is still ongoing, please check this bulletin page frequently for updates.
More information and detailed explanations on the working of this vulnerability can be found via the links below: