Apache Commons Text vulnerability

22 views
Skip to first unread message

oriol....@udl.cat

unread,
Oct 20, 2022, 7:36:24 AM10/20/22
to DSpace Community
Hi all,
There has been discovered a vulnerability affecting versions 1.5 to 1.9 of Apache Commons Text:

I've seen DSpace 7 uses the 1.9 version of this library:

It is recommended to update to 1.10, but I haven't tested it yet myself. Just wanted to make sure everyone who is using DSpace 7 in production is aware of this.

Regards,
Oriol

PS: Here are some more links about the vulnerability

Mark H. Wood

unread,
Oct 20, 2022, 7:53:25 AM10/20/22
to dspace-c...@googlegroups.com
On Thu, Oct 20, 2022 at 01:55:05AM -0700, oriol....@udl.cat wrote:
> There has been discovered a vulnerability affecting versions 1.5 to 1.9 of
> Apache Commons Text:
> https://nvd.nist.gov/vuln/detail/CVE-2022-42889
>
> I've seen DSpace 7 uses the 1.9 version of this library:
> https://github.com/DSpace/DSpace/blob/main/dspace-api/pom.xml#L850
>
> It is recommended to update to 1.10, but I haven't tested it yet myself.
> Just wanted to make sure everyone who is using DSpace 7 in production is
> aware of this.

Thank you for passing the word. This was noted yesterday, and a patch
exists:

https://github.com/DSpace/DSpace/pull/8537

So far, analysis of the use of Commons Text in DSpace sugggests that
DSpace is not vulnerable to this particular issue, but the developers
are watching carefully for further developments.

--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
signature.asc

Tim Donohue

unread,
Oct 20, 2022, 9:46:38 AM10/20/22
to oriol....@udl.cat, DSpace Community
Hi all,

We (several Committers) analyzed this vulnerability yesterday.

No version of DSpace appears to be vulnerable to CVE-2022-42889, based on the current information available.  This includes DSpace 7.x, 6.x, 5.x and every other release before then. Apache Commons Text is only included in the DSpace 7.x releases.  

That said, if you are interested in updating your version of Apache Commons Text in DSpace 7.x, we have an early PR at https://github.com/DSpace/DSpace/pull/8537 

This PR is still being tested/reviewed, but the results are good so far.  It will be included in the upcoming 7.5 release (due in Feb 2023). This PR's description also contains notes of our analysis of this vulnerability.

If more information becomes available about CVE-2022-42889 that causes a concern for DSpace, we'll reanalyze and possibly release an immediate patched version of 7.x.  However, at this time, we don't anticipate that occurring. From what I'm reading, this security vulnerability is dangerous, but also very rare. Exploiting the vulnerability seems to require using a very specific feature of Apache Commons Text & passing it untrusted user input. DSpace doesn't use the vulnerable feature, and never passes any untrusted data to Apache Commons Text.

If anyone has any further questions or concerns, feel free to reach out to me or email secu...@dspace.org (which goes to all active DSpace Committers).

Thanks,

Tim Donohue​

From: dspace-c...@googlegroups.com <dspace-c...@googlegroups.com> on behalf of oriol....@udl.cat <oriol....@udl.cat>
Sent: Thursday, October 20, 2022 3:55 AM
To: DSpace Community <dspace-c...@googlegroups.com>
Subject: [dspace-community] Apache Commons Text vulnerability
 
--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-communi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-community/ce4d5055-d84d-4661-8adf-1d13c5164c73n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages