Download PDF
Download page Security Advisory: CVE-2022-42889 in Apache Commons Text.
Security Advisory: CVE-2022-42889 in Apache Commons Text
On this page:
| Advisory ID: | appd-sa-cve-2022-42889 | CVE-2022-42889 CWE-94 |
First Published: | 2022 October 24 14:00 PDT | ||
Last Updated: | 2022 December 16 13:00 PST | ||
Version 1.7: | Final | ||
Workarounds: | Not needed | ||
CVSS Score: | Base 9.8 |
Summary
On October 13, 2022, Apache disclosed a critical vulnerability (CVE-2022-42889) in the Apache Commons Text library affecting versions of commons-text from 1.5 through 1.9. Apache released version 1.10.0 to address this vulnerability.
Due to the various ways that third-party software is configured and implemented, the mere presence of a vulnerable version of this library does not necessarily mean that the AppDynamics software is vulnerable. AppDynamics evaluated our products to determine if any are impacted and have provided product-specific guidance below.
This advisory is intended to address those products deployed on-premises by AppDynamics customers which may require customers to take action.
The AppDynamics SaaS platform is continually monitored and improved. Should there be any impact from this vulnerability to our SaaS customers, we will communicate directly with those customers through standard support channels.
This advisory is available at the following link: https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+CVE-2022-42889+in+Apache+Commons+Text
Affected Products
No AppDynamics products are known to be affected by this vulnerability.
Products Confirmed Not Vulnerable
AppDynamics has confirmed that the following products are not affected by this vulnerability:
.NET Agent
Analytics Agent
- Apache Web Server Agent
- C/C++ SDK Agent
- Cluster Agent
- Database Agent
- Enterprise Console / Controller (On-Premises)
- EUM Server
Events Service (On-Prem)
- IIB Agent
- Java Agent
- Machine Agent
- Mobile RUM Agent
- Network Agent
- PHP Agent
- Python Agent
Exploitation and Public Announcements
AppDynamics is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
Source
This vulnerability was publicly disclosed by Apache on https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om.
URL
https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+CVE-2022-42889+in+Apache+Commons+Text
Revision History
| Version | Description | Section | Status | Date |
|---|---|---|---|---|
| 1.0 | Initial public release. | — | Interim | 2022-OCT-24 14:00 PDT |
| 1.1 | Updated Products Under Investigation and Products Confirmed Not Vulnerable. | Affected Products | Interim | 2022-OCT-24 17:00 PDT |
| 1.2 | Updated Products Under Investigation and Products Confirmed Not Vulnerable. | Affected Products | Interim | 2022-OCT-25 16:00 PDT |
| 1.3 | Updated Products Under Investigation and Products Confirmed Not Vulnerable. | Affected Products | Interim | 2022-OCT-26 11:00 PDT |
| 1.4 | Updated Products Under Investigation and Products Confirmed Not Vulnerable. | Affected Products | Interim | 2022-NOV-02 16:00 PDT |
| 1.5 | Updated Products Under Investigation and Products Confirmed Not Vulnerable. | Affected Products | Interim | 2022-NOV-03 15:30 PDT |
| 1.6 | Updated Products Under Investigation and Products Confirmed Not Vulnerable. | Affected Products | Interim | 2022-NOV-09 22:00 PST |
| 1.7 | Updated Summary. | Summary | Final | 2022-DEC-16 13:00 PST |
LEGAL DISCLAIMER
ANY SOFTWARE OR RELEASES, INCLUDING BUT NOT LIMITED TO PATCHES, UPGRADES, AND HOTFIXES, MENTIONED IN THIS SECURITY ADVISORY IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. APPDYNAMICS DISCLAIMS ALL REPRESENTATIONS OR WARRANTIES, EITHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT THERETO, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL APPDYNAMICS, ITS AFFILIATES, OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS, OR SPECIAL DAMAGES, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY TO YOU.
THE INFORMATION PROVIDED IN THIS SECURITY ADVISORY IS FOR INFORMATIONAL PURPOSES ONLY AND IN NO WAY SHALL BE CONSTRUED AS AN ALTERATION OF APPDYNAMICS’ EXISTING CONTRACTUAL OBLIGATIONS WITH ITS END USERS REGARDING VULNERABILITY MANAGEMENT OR OTHERWISE. END USERS ARE ENCOURAGED TO READ THE REQUIREMENTS SET FORTH HEREIN AND PERFORM THEIR OWN ANALYSIS OF THE APPLICABILITY AND IMPACT OF THE INFORMATION WITH RESPECT TO THEIR SPECIFIC CONFIGURATION AND USE CASE OF THE APPDYNAMICS SOFTWARE.