Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
Statement: eap-7, eapxp-4, camel-k, camel-q have maven references to the affected package but does not ship it nor use the code
After further evaluation, we found that EAP has apache-commons-text dependency explicitly declared under exclusions : https://github.com/jbossas/jboss-eap7/blob/EAP_7.4.7.CR3-dev/pom.xml Hence marking EAP as not affected and closing the EAP tracker.
adding openshift-4 and satellite-6 affected/fix
Is there any mitigation for this vulnerability?
Any updates planned for Satellite Server 6 to fix this vulnerability?
business-central.war/WEB-INF/lib/commons-text-1.9.jar exists in Redhat process automation service. Any updates planned for RHPAM 7.13.1?
This issue has been addressed in the following products: Red Hat Fuse 7.11.1 Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652
This issue has been addressed in the following products: Red Hat JBoss AMQ Via RHSA-2022:8876 https://access.redhat.com/errata/RHSA-2022:8876
This issue has been addressed in the following products: RHINT Camel-Springboot 3.18.3 Via RHSA-2022:8902 https://access.redhat.com/errata/RHSA-2022:8902
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-42889
This issue has been addressed in the following products: Red Hat build of Quarkus 2.13.5 Via RHSA-2022:9023 https://access.redhat.com/errata/RHSA-2022:9023
Could you provide status updates on Red Hat Satellite 6 **candlepin**? Thank you!
This issue has been addressed in the following products: Red Hat Satellite 6.12 for RHEL 8 Via RHSA-2023:0261 https://access.redhat.com/errata/RHSA-2023:0261
This issue has been addressed in the following products: RHINT Camel-Q 2.13.2 Via RHSA-2023:0469 https://access.redhat.com/errata/RHSA-2023:0469
This issue has been addressed in the following products: Red Hat build of Quarkus 2.7.7 Via RHSA-2023:1006 https://access.redhat.com/errata/RHSA-2023:1006
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2023:1524 https://access.redhat.com/errata/RHSA-2023:1524
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2023:1655 https://access.redhat.com/errata/RHSA-2023:1655
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2023:1866 https://access.redhat.com/errata/RHSA-2023:1866
This issue has been addressed in the following products: Red Hat Satellite 6.13 for RHEL 8 Via RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097
This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2023:2135 https://access.redhat.com/errata/RHSA-2023:2135
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.12 Via RHSA-2023:3195 https://access.redhat.com/errata/RHSA-2023:3195
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2023:3198 https://access.redhat.com/errata/RHSA-2023:3198
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.13 Via RHSA-2023:3299 https://access.redhat.com/errata/RHSA-2023:3299
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.13 Via RHSA-2023:6179 https://access.redhat.com/errata/RHSA-2023:6179
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.14 Via RHSA-2023:7288 https://access.redhat.com/errata/RHSA-2023:7288
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.13 Via RHSA-2024:0776 https://access.redhat.com/errata/RHSA-2024:0776
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.14 Via RHSA-2024:0777 https://access.redhat.com/errata/RHSA-2024:0777
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.12 Via RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2024:0775 https://access.redhat.com/errata/RHSA-2024:0775
This issue has been addressed in the following products: Red Hat AMQ Streams 2.7.0 Via RHSA-2024:3527 https://access.redhat.com/errata/RHSA-2024:3527
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Via RHSA-2025:1746 https://access.redhat.com/errata/RHSA-2025:1746
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Via RHSA-2025:1747 https://access.redhat.com/errata/RHSA-2025:1747