Hi all, We (several Committers) analyzed this vulnerability yesterday and came to the same conclusion as Edmund.
No version of DSpace appears to be vulnerable to CVE-2022-42889, based on the current information available. This includes DSpace 7.x, 6.x, 5.x and every other release before then. Apache Commons Text is only included in the DSpace 7.x releases. If you are interested in updating your version of Apache Commons Text in DSpace 7.x, we have an early PR at https://github.com/DSpace/DSpace/pull/8537 This PR is still being tested/reviewed, but the results are good so far. It will be included in the upcoming 7.5 release (due in Feb 2023). This PR's description also contains notes of our analysis of this vulnerability. If more information becomes available about CVE-2022-42889 that causes a concern for DSpace, we'll reanalyze and possibly release an immediate patched version of 7.x. However, at this time, we don't anticipate that occurring. From what I'm reading, this security vulnerability is dangerous, but also very rare. Exploiting the vulnerability seems to require using a very specific feature of Apache Commons Text & passing it untrusted user input. DSpace doesn't use the vulnerable feature, and never passes any untrusted data to Apache Commons Text. If anyone has any further questions or concerns, feel free to reach out to me or email [email protected] (which goes to all active DSpace Committers). Thanks, Tim Donohue​ ________________________________ From: [email protected] <[email protected]> on behalf of Edmund Balnaves <[email protected]> Sent: Thursday, October 20, 2022 6:37 AM To: DSpace Technical Support <[email protected]> Subject: [dspace-tech] Re: Apache Commons Text vulnerability The vulnerability centres on use of the StringSubstitutor from an unfiltered input. It looks from the source that the function is used for substitutions derived from dspace configuration files. On an initial review, as long as these config files are well-governed dspace7 should be safe in the context of this vulnerability. On Thursday, October 20, 2022 at 7:51:26 PM UTC+11 [email protected] wrote: Hi all, There has been discovered a vulnerability affecting versions 1.5 to 1.9 of Apache Commons Text: https://nvd.nist.gov/vuln/detail/CVE-2022-42889 I've seen DSpace 7 uses the 1.9 version of this library: https://github.com/DSpace/DSpace/blob/main/dspace-api/pom.xml#L850 It is recommended to update to 1.10, but I haven't tested it yet myself. Just wanted to make sure everyone who is using DSpace 7 in production is aware of this. Regards, Oriol PS: Here are some more links about the vulnerability https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/ https://www.securityweek.com/critical-apache-commons-text-flaw-compared-log4shell-not-widespread https://nakedsecurity.sophos.com/2022/10/18/dangerous-hole-in-apache-commons-text-like-log4shell-all-over-again/ -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/0d1fcb02-4acb-4aaa-985c-54d8a847215en%40googlegroups.com<https://groups.google.com/d/msgid/dspace-tech/0d1fcb02-4acb-4aaa-985c-54d8a847215en%40googlegroups.com?utm_medium=email&utm_source=footer>. -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/PH0PR22MB3274E8CB87839E5FD98E7EF9ED2A9%40PH0PR22MB3274.namprd22.prod.outlook.com.
