Commons-text is only used for testing the Kubernetes integration and isn’t shipped. Having said that, we should update to a version that isn’t vulnerable when one becomes available. (It’s a transitive dependency. We use the latest version of MockServer, but it has not been patched yet. https://mvnrepository.com/artifact/org.mock-server/mockserver-netty)
I’ll let someone else respond to the OpenSSL vulnerability, as I don’t know for sure. I think Ignite uses Java-native cryptographic functions, so probably not an issue. And if it is, you’d need to update your Java or OS. Regards, Stephen > On 31 Oct 2022, at 05:27, Raymond Wilson <[email protected]> wrote: > > In the last few days two new potentially high profile vulnerabilities have > come forth from OpenSSL & Apache. > > We are currently using Apache Ignite 2.13 and would like to understand if > there is known exposure to the vulnerabilities noted below: > > > The OpenSSL set of libraries has a pending release of a critical > vulnerability > <https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html>. > > > OpenSSL Details: > > On Oct 25, 2022 one of the main contributors to the OpenSSL project released > a statement that a CVE is to be released for OpenSSL 3.x branch on Tuesday > Nov 1, 2022. Currently, details are not released about the vulnerability, > due to embargo giving people time to patch, but it is currently listed as a > critical vulnerability. Previously critical vulnerabilities have leaked > memory as well as encryption keys, because of this it is recommended that all > libraries be upgraded to 3.0.7 (currently unreleased, will be released Nov 1) > for groups utilizing the 3.x branch. As per the development team, users using > 1.1.1s are currently unaffected by this vulnerability. > > > The Apache Commons Text Libraries have uncovered and released a fix for a > critical issue. The attack vector for this attack is not fully understood, > and more patches are coming out. > > Apache Commons Text Details - CVE-2022-42889 > <https://nvd.nist.gov/vuln/detail/CVE-2022-42889> > On Oct 13th, 2022 a vulnerability was published in the Apache Commons Text > library. The vulnerability is related to the use of interpolated strings that > allow for the execution of arbitrary code by an attacker. Any string that > utilizes the library for the interpolation of strings is vulnerable to the > attack. The fix that was supplied by the Apache Software Foundation addresses > the remote code execution vulnerability, however doesn’t address a secondary > attack vulnerability that allows for arbitrary file access by the attacker. > Teams are recommended to upgrade all instances of the library to 1.10, with > the expectation that they will upgrade to 1.11 as soon as it is made > available. > > Thanks, > Raymond. > > -- > <http://www.trimble.com/> > Raymond Wilson > Trimble Distinguished Engineer, Civil Construction Software (CCS) > 11 Birmingham Drive | Christchurch, New Zealand > [email protected] <mailto:[email protected]> > > <https://worksos.trimble.com/?utm_source=Trimble&utm_medium=emailsign&utm_campaign=Launch>
