Customer Portal

Knowledge Base

  1. CloverDX Customer Portal
  2. Knowledge base
  3. Security advisory November 2022 – Text4Shell

Security advisory November 2022 – Text4Shell

Avatar
Branislav Repcek
  • Updated
Follow

Last updated date: 15th November 2022

Advisory publication date: 9th November 2022

 

Update & current status

As of 15th November, we have released CloverDX versions that address the vulnerability in all supported versions of CloverDX:

  • CloverDX 5.16.1
  • CloverDX 5.15.3
  • CloverDX 5.14.3
  • CloverDX 5.13.4

We recommend you upgrade your CloverDX to one of the fixed versions listed above. Please review What you need to do section for more details about what to do depending on your version of CloverDX.

 

Summary

This advisory discloses one critical vulnerability – Text4Shell – which is an RCE (Remote Code Execution) vulnerability in Apache Commons Text library that is used in CloverDX products. The vulnerability affects all versions listed in the Affected product versions section.

 

CVE ID(s)

  • CVE-2022-42889

Affected product versions

  • CloverDX 5.16.0
  • CloverDX 5.15.x before CloverDX 5.15.3
  • CloverDX 5.14.x before CloverDX 5.14.3
  • CloverDX 5.13.x before CloverDX 5.13.4
  • CloverDX 5.12.x – this version is retired and no longer receives security fixes.
  • CloverDX 5.11.x – this version is retired and no longer receives security fixes.
  • CloverDX 5.10.x – this version is retired and no longer receives security fixes.
  • CloverDX 5.9.x – this version is retired and no longer receives security fixes.
  • CloverDX releases older than 5.9.0 – these versions are all EOL (End-of-life) and no longer receive any support of fixes.

Fixed product versions

  • CloverDX 5.16.1 – contains latest version of Apache Commons Text library which addresses the vulnerability, see release notes for more details.
  • CloverDX 5.15.3 – contains latest version of Apache Commons Text library which addresses the vulnerability, see release notes for more details.
  • CloverDX 5.14.3 – contains latest version of Apache Commons Text library which addresses the vulnerability, see release notes for more details.
  • CloverDX 5.13.4 – contains latest version of Apache Commons Text library which addresses the vulnerability, see release notes for more details.

CVE-2022-42889: Text4Shell, RCE in Apache Common Text

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation.

Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers.

These lookups are:

  • "script" - execute expressions using the JVM script execution engine (javax.script)
  • "dns" - resolve dns records
  • "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.

Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Fix

We recommend all customers to upgrade to CloverDX 5.16.1 which contains the latest security fixes (including fix for Text4Shell vulnerability).

If you cannot upgrade to CloverDX 5.16.1, refer to What you need to do section for more information about your version of CloverDX.

 

What you need to do

  • 5.16.1 users – no need to do anything, you have the latest version.
  • 5.16.0 users – update to CloverDX 5.16.1 (easy update).
  • 5.15.x users – upgrade to CloverDX 5.15.3 (easy upgrade) or use the latest version CloverDX 5.16.1.
  • 5.14.x users – upgrade to CloverDX 5.14.3 (easy upgrade) or use the latest version CloverDX 5.16.1.
  • 5.13.x users – upgrade to CloverDX 5.13.4 (easy update) or use the latest version CloverDX 5.16.1.
  • Older versions – upgrade to CloverDX 5.16.1 (recommended) or any other fixed version.

Support

If you did not receive this email directly and you want to receive Security Advisory emails like this in the future, subscribe to the CloverDX Security Alerts mailing list.

If you have any questions or concerns regarding this advisory, please raise a CloverCARE support request via Customer Portal.

References

Update history

  • 2022-11-15 – Updated with information about CloverDX 5.14.3 fix.
  • 2022-11-11 – Updated with information about CloverDX 5.15.3 fix, clarified some parts of the text.
  • 2022-11-09 – This advisory was first published.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments 0

Please sign in to leave a comment.

Related articles

Articles in this section

Security advisory August 2024 Security advisory April 2023 Security advisory November 2022 – Text4Shell Security advisories Resolving SFTP connection issue by re-enabling SSH-rsa Security advisory November 2022 – OpenSSL Security advisory April 2022 – Spring4Shell Security advisory December 2021 Security advisory November 2021 Security advisory April 2021