Support Questions

cjervis · ‎12-05-2022

It looks like CDH 7.1.7 SP1 is vulnerable to CVE-2022-42889.

Here is the announcement from Apache which indicates the mitigation is to "Upgrade to Apache Commons Text 1.10.0".

https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om

There was another community thread about Text4Shell in NiFi, but CVE-2022-42889 is NOT just a NiFi issue.

CDH 7.1.7 SP1 (even p1057) includes the vulnerable common-jars 1.6/1.7 and 1.9.

/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.6.jar
/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.7.jar
/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.9.jar
...
/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/solr/server/solr-webapp/webapp/WEB-INF/lib/commons-text-1.6.jar
/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/streams_messaging_manager/libs/commons-text-1.9.jar
/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/streams_replication_manager/lib/commons-text-1.9.jar#

Is there a time frame for 1.10 (or better)?

rki_ · ‎12-07-2022

Hi @jgabrey-1216863216 ,

This has been fixed in CDP 7.1.7 SP1 CHF20 (p1063). You can refer the below doc :

https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/runtime-release-notes/topics/chf-pvcb-sp1-ove...

View solution in original post

rki_ · ‎12-07-2022

Hi @jgabrey-1216863216 ,

This has been fixed in CDP 7.1.7 SP1 CHF20 (p1063). You can refer the below doc :

https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/runtime-release-notes/topics/chf-pvcb-sp1-ove...

Cloudera Community

Support Questions

CVE-2022-42889 Apache Commons Text Text4Shell