Apache Commons Text vulnerability
41 views
Skip to first unread message
oriol....@udl.cat
Oct 20, 2022, 4:51:26 AM10/20/22
to DSpace Technical Support
Hi all,
There has been discovered a vulnerability affecting versions 1.5 to 1.9 of Apache Commons Text:
I've seen DSpace 7 uses the 1.9 version of this library:
It is recommended to update to 1.10, but I haven't tested it yet myself. Just wanted to make sure everyone who is using DSpace 7 in production is aware of this.
Regards,
Oriol
PS: Here are some more links about the vulnerability
Mark H. Wood
Oct 20, 2022, 8:00:29 AM10/20/22
to dspac...@googlegroups.com
On Thu, Oct 20, 2022 at 01:51:26AM -0700, oriol....@udl.cat wrote:
> There has been discovered a vulnerability affecting versions 1.5 to 1.9 of
> Apache Commons Text:
> https://nvd.nist.gov/vuln/detail/CVE-2022-42889
>
> I've seen DSpace 7 uses the 1.9 version of this library:
> https://github.com/DSpace/DSpace/blob/main/dspace-api/pom.xml#L850
>
> It is recommended to update to 1.10, but I haven't tested it yet myself.
> Just wanted to make sure everyone who is using DSpace 7 in production is
> aware of this.
Thank you. A patch has been developed, but currently it is believed
> There has been discovered a vulnerability affecting versions 1.5 to 1.9 of
> Apache Commons Text:
> https://nvd.nist.gov/vuln/detail/CVE-2022-42889
>
> I've seen DSpace 7 uses the 1.9 version of this library:
> https://github.com/DSpace/DSpace/blob/main/dspace-api/pom.xml#L850
>
> It is recommended to update to 1.10, but I haven't tested it yet myself.
> Just wanted to make sure everyone who is using DSpace 7 in production is
> aware of this.
that this issue does not affect DSpace.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
Edmund Balnaves
Oct 20, 2022, 8:04:35 AM10/20/22
to DSpace Technical Support
The vulnerability centres on use of the StringSubstitutor from an unfiltered input.
It looks from the source that the function is used for substitutions derived from dspace configuration files.
On an initial review, as long as these config files are well-governed dspace7 should be safe in the context of this vulnerability.
Sarah Butash
Oct 20, 2022, 8:07:23 AM10/20/22
to Edmund Balnaves, DSpace Technical Support
What about DSpace 5 and 6?
--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/0d1fcb02-4acb-4aaa-985c-54d8a847215en%40googlegroups.com.
Sarah Butash
she / her
Library Systems Analyst, OU Libraries
Kresge Library, Room 227
100 Library Drive, Rochester, MI 48309-4479
Phone: 248-370-2368
Tim Donohue
Oct 20, 2022, 9:45:30 AM10/20/22
to DSpace Technical Support
Hi all,
We (several Committers) analyzed this vulnerability yesterday and came to the same conclusion as Edmund.
No version of DSpace appears to be vulnerable to CVE-2022-42889, based on the current information available.
This includes DSpace 7.x, 6.x, 5.x and every other release before then. Apache Commons Text is only included in the DSpace 7.x releases.
If you are interested in updating your version of Apache Commons Text in DSpace 7.x, we have an early PR at https://github.com/DSpace/DSpace/pull/8537
This PR is still being tested/reviewed, but the results are good so far. It will be included in the upcoming 7.5 release (due in Feb 2023). This PR's description also contains notes of our analysis of this vulnerability.
If more information becomes available about CVE-2022-42889 that causes a concern for DSpace, we'll reanalyze and possibly release an immediate patched version of 7.x. However, at this time, we don't anticipate that occurring. From what I'm reading, this security
vulnerability is dangerous, but also very rare. Exploiting the vulnerability seems to require using a very specific feature of Apache Commons Text & passing it untrusted user input. DSpace doesn't use the vulnerable feature, and never passes any untrusted
data to Apache Commons Text.
If anyone has any further questions or concerns, feel free to reach out to me or email secu...@dspace.org (which goes to all active DSpace Committers).
Thanks,
Tim Donohue
Tim Donohue
From: dspac...@googlegroups.com <dspac...@googlegroups.com> on behalf of Edmund Balnaves <edmund....@gmail.com>
Sent: Thursday, October 20, 2022 6:37 AM
To: DSpace Technical Support <dspac...@googlegroups.com>
Subject: [dspace-tech] Re: Apache Commons Text vulnerability
Sent: Thursday, October 20, 2022 6:37 AM
To: DSpace Technical Support <dspac...@googlegroups.com>
Subject: [dspace-tech] Re: Apache Commons Text vulnerability
Reply all
Reply to author
Forward
0 new messages