Created on 12-05-2022 10:10 AM - last edited on 12-05-2022 01:18 PM by cjervis
It looks like CDH 7.1.7 SP1 is vulnerable to CVE-2022-42889.
Here is the announcement from Apache which indicates the mitigation is to "Upgrade to Apache Commons Text 1.10.0".
There was another community thread about Text4Shell in NiFi, but CVE-2022-42889 is NOT just a NiFi issue.
CDH 7.1.7 SP1 (even p1057) includes the vulnerable common-jars 1.6/1.7 and 1.9.
/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.6.jar
/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.7.jar
/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/jars/commons-text-1.9.jar
...
/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/solr/server/solr-webapp/webapp/WEB-INF/lib/commons-text-1.6.jar
/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/streams_messaging_manager/libs/commons-text-1.9.jar
/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1057.32088321/lib/streams_replication_manager/lib/commons-text-1.9.jar#
Is there a time frame for 1.10 (or better)?
Created 12-07-2022 10:31 PM
Hi @jgabrey-1216863216 ,
This has been fixed in CDP 7.1.7 SP1 CHF20 (p1063). You can refer the below doc :
Created 12-07-2022 10:31 PM
Hi @jgabrey-1216863216 ,
This has been fixed in CDP 7.1.7 SP1 CHF20 (p1063). You can refer the below doc :