Support Questions

Find answers, ask questions, and share your expertise

CVE-2022-42889 Apache Commons Text Text4Shell

avatar

It looks like CDH 7.1.7 SP1 is vulnerable to CVE-2022-42889.

 

Here is the announcement from Apache which indicates the mitigation is to "Upgrade to Apache Commons Text 1.10.0".

 

 

There was another community thread about Text4Shell in NiFi, but CVE-2022-42889 is NOT just a NiFi issue.

 

CDH 7.1.7 SP1 (even p1057) includes the vulnerable common-jars 1.6/1.7 and 1.9.

 

/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.6.jar
/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.7.jar
/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.9.jar
...
/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/solr/server/solr-webapp/webapp/WEB-INF/lib/commons-text-1.6.jar
/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/streams_messaging_manager/libs/commons-text-1.9.jar
/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/streams_replication_manager/lib/commons-text-1.9.jar#

 

Is there a time frame for 1.10 (or better)?

 

1 ACCEPTED SOLUTION

avatar
Super Collaborator
1 REPLY 1

avatar
Super Collaborator

Hi @jgabrey-1216863216 ,

 

This has been fixed in CDP 7.1.7 SP1 CHF20 (p1063). You can refer the below doc :

 

https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/runtime-release-notes/topics/chf-pvcb-sp1-ove...