Skip to main content

CVE-2022-42889 - Apache Commons Text Vulnerability

Issue

Apache has discovered a vulnerability with the Apache Common Text function.  A variable interpolation can be performed as part of the functions, allowing properties to be dynamically evaluated and expanded.  For more information and the latest information, we ask that customers continue to monitor the vulnerability for updates: https://nvd.nist.gov/vuln/detail/CVE-2022-42889 Armory has investigated this critical issue.  As of October 21st, 2022, we have analyzed the vulnerability and its potential for harm to Armory CD customers. Based on our investigations, we do not appear to be susceptible to exploitation at this time, and therefore we are only observing developments.  We will continue looking at updates and measuring the potential impact on customers.   Update, Oct 22, 2022: Halyard and Operator images both contain the library, but the class is not used.  The article has been updated with the additional relevant information.

Cause

The vulnerability exposes a script execution vulnerability.  An example of how the vulnerability might be exploited can be found here:https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/