Updated 20 October 2022 - 12:00 CET
EVS is actively responding to the reported vulnerability in the Apache Commons Text library that can result in code execution when processing malicious input. We are currently conducting a product-by-product analysis to determine if any are potentially impacted by the vulnerability. This is an ongoing investigation, so please check this bulletin page frequently for updates.
CVE-2022-42889, which some have begun calling “Text4Shell,” is a vulnerability in the popular Apache Commons Text library that can result in code execution when processing malicious input. CVE-2022-42889 arises from insecure implementation of Commons Text’s variable interpolation functionality—more specifically, some default lookup strings could potentially accept untrusted input from remote attackers, such as DNS requests, URLs, or inline scripts. CVE-2022-42889 affects Apache Commons Text versions 1.5 through 1.9. It has been patched as of Commons Text version 1.10
Current investigations do not reveal usage of Apache Commons Text library in EVS products.
As this investigation is still ongoing, please check this bulletin page frequently for updates.
None
More information and detailed explanations on the working of this vulnerability can be found via the links below:
https://nvd.nist.gov/vuln/detail/CVE-2022-42889
https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/
https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
https://thehackernews.com/2022/10/hackers-started-exploiting-critical.html