Greetings Cloudera Community!!
Text4shell vulnerability is impacting the apache application which is using commons-text version 1.5 to 1.9 and our application Nifi version 1.16.2 hosted on linux server (Red Hat Enterprise Linux Server 7.9) is using commons-text version 1.8 jar file in lib folder.
Can anyone please help to figure out the best solution to handle this vulnerability in our production servers: We have few queries for the vulnerability:
1:Is the nifi version 1.16.2 application is affected by this vulnerability?
2: In Nifi configuration files, we are not using any calls related to StringSubstitutor API. Are we still vulnerable to test4Shell?
3: If nifi version 1.16.2 vulnerable then can we just replace the commons-text jar file from 1.8 to 1.10 in nifi 1.16.2. Is there any impact of this in our prod servers?
Please do let us know on this vulnerability for nifi 1.16.2. If it is impacting nifi 1.16.2 version then what would be the best solution to mitigate this vulnerability.
Vulnerability Details:
Release Date: 18th October 2022
CVE Detail: CVE-2022-42889
CVSS Score: Critical (9.8)
Affected Products:
* Apache Commons Text versions 1.5 through 1.9
* This vulnerability is a remote code execution (RCE) vulnerability, that arises from insecure implementation of Commons Text's variable interpolation functionality, where some default lookup strings could potentially accept untrusted input from remote attackers, such as DNS requests, URLs, or inline scripts and can allow an attacker to execute arbitrary scripts passed to the created interpolator object.
* This vulnerability exists in the StringSubstitutor interpolator object.
Recommendation:
* Upgrade immediately to Apache Commons Text version 1.10.0
Ref: https://www.imperva.com/blog/apache-commons-text-vulnerability-cve-2022-42889/
Ref: https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/#:~:text....
