https://community.cloudera.com/t5/Support-Questions/CVE-2022-42889-Apache-Commons-Text-Text4Shell/m-p/358906#M237973 <P>It looks like CDH 7.1.7 SP1 is vulnerable to&nbsp;CVE-2022-42889.</P> <P>&nbsp;</P> <P>Here is the announcement from Apache which indicates the mitigation is to "Upgrade to Apache Commons Text 1.10.0".</P> <P>&nbsp;</P> <UL> <LI><A href="https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om" target="_blank" rel="noopener">https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om</A></LI> </UL> <P>&nbsp;</P> <P>There was another community thread about Text4Shell in NiFi, but CVE-2022-42889 is NOT just a NiFi issue.</P> <P>&nbsp;</P> <P>CDH 7.1.7 SP1 (even p1057) includes the vulnerable common-jars 1.6/1.7 and 1.9.</P> <P>&nbsp;</P> <PRE>/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.6.jar<BR />/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.7.jar<BR />/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.9.jar<BR />...<BR />/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/solr/server/solr-webapp/webapp/WEB-INF/lib/commons-text-1.6.jar<BR />/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/streams_messaging_manager/libs/commons-text-1.9.jar<BR />/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/streams_replication_manager/lib/commons-text-1.9.jar#</PRE> <P>&nbsp;</P> <P>Is there a time frame for 1.10 (or better)?</P> <P>&nbsp;</P> Mon, 05 Dec 2022 21:18:03 GMT jgabrey-1216863216 2022-12-05T21:18:03Z https://community.cloudera.com/t5/Support-Questions/CVE-2022-42889-Apache-Commons-Text-Text4Shell/m-p/358906#M237973 <P>It looks like CDH 7.1.7 SP1 is vulnerable to&nbsp;CVE-2022-42889.</P> <P>&nbsp;</P> <P>Here is the announcement from Apache which indicates the mitigation is to "Upgrade to Apache Commons Text 1.10.0".</P> <P>&nbsp;</P> <UL> <LI><A href="https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om" target="_blank" rel="noopener">https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om</A></LI> </UL> <P>&nbsp;</P> <P>There was another community thread about Text4Shell in NiFi, but CVE-2022-42889 is NOT just a NiFi issue.</P> <P>&nbsp;</P> <P>CDH 7.1.7 SP1 (even p1057) includes the vulnerable common-jars 1.6/1.7 and 1.9.</P> <P>&nbsp;</P> <PRE>/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.6.jar<BR />/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.7.jar<BR />/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.9.jar<BR />...<BR />/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/solr/server/solr-webapp/webapp/WEB-INF/lib/commons-text-1.6.jar<BR />/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/streams_messaging_manager/libs/commons-text-1.9.jar<BR />/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/streams_replication_manager/lib/commons-text-1.9.jar#</PRE> <P>&nbsp;</P> <P>Is there a time frame for 1.10 (or better)?</P> <P>&nbsp;</P> Mon, 05 Dec 2022 21:18:03 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-42889-Apache-Commons-Text-Text4Shell/m-p/358906#M237973 jgabrey-1216863216 2022-12-05T21:18:03Z https://community.cloudera.com/t5/Support-Questions/CVE-2022-42889-Apache-Commons-Text-Text4Shell/m-p/359097#M238018 <P>Hi&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/1115">@jgabrey-1216863216</a>&nbsp;,</P><P>&nbsp;</P><P>This has been fixed in CDP 7.1.7 SP1 CHF20 (<SPAN>p1063). You can refer the below doc :</SPAN></P><P>&nbsp;</P><P><SPAN><A href="https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/runtime-release-notes/topics/chf-pvcb-sp1-overview.html#ariaid-title2" target="_blank">https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/runtime-release-notes/topics/chf-pvcb-sp1-overview.html#ariaid-title2</A></SPAN></P> Thu, 08 Dec 2022 06:31:45 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-42889-Apache-Commons-Text-Text4Shell/m-p/359097#M238018 rki_ 2022-12-08T06:31:45Z