CVE Description: Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
For up-to-date information, please refer to https://nvd.nist.gov/vuln/detail/CVE-2022-42889
Yes, and we have a robust, dedicated, full-time threat intelligence team with a Micro Focus-wide view, that is constantly reviewing new reports of vulnerabilities, threats, and compromises for possible impact to our information assets.
Micro Focus implements a Secure Development Lifecycle that includes Supply Chain Security, 3rd Party Component Manifest and 3rd Party Component Monitoring. Using these formal practices, we help ensure that 3rd party components are sourced from trusted repositories, scanned and tested, free of known CVEs, and signed to ensure authenticity. New vulnerabilities are scanned and tracked to ensure closure. Additionally, Micro Focus has scheduled rolling scans using a variety of tools to detect a wide variety of vulnerabilities. Vendor rule sets/signatures and code are typically scrutinized after a new vulnerability announcement. We continue to get updates from our security vendors and internal security community on the latest scanning techniques for CVE-2022-42889 and other vulnerabilities. We also take a risk-based approach to prioritizing which patches get applied first.
We are prioritizing CVE-2022-42889 alongside other patch efforts. We rank potential patches according to CVSS scoring, and also our own enhanced scoring system that takes additional data points into account. Configuration changes or patch installations require Quality Assurance analysis and testing prior to deployment to production systems to prevent unexpected service interruptions.
At present, we are not aware of any current indications of compromise in Micro Focus products related to CVE-2022-42889 or related vulnerabilities.
At present, we are not aware of any improper access or disclosure of customer data related to CVE-2022-42889 or any related vulnerabilities.
Please make sure that you monitor Micro Focus Security bulletins regularly and you apply the latest security updates released by Micro Focus as soon as possible. We also encourage you to monitor for vendor patches as they become available within your own environment.
Oct 20, 2022
Micro Focus continues to monitor CVE-2022-42889 vulnerability closely and issues appropriate patches, security bulletins and communications to support our customers. As this is a still evolving situation we will monitor and actively address changes. Keep watching the Micro Focus Security Bulletins for any changes resulting from further industry analysis of this vulnerability. Micro Focus is committed to continue to provide prompt remediation if the situation develops further. We will periodically update this page to ensure you have the latest information on our status.
If you don’t see your product listed, please come back for updates. Please contact support if urgent.
