Support Questions

Find answers, ask questions, and share your expertise

Vulnerability (Text4Shell) (CVE-2022-42889)

avatar
Explorer

Greetings Cloudera Community!!

 

Text4shell vulnerability is impacting the apache application which is using commons-text version 1.5 to 1.9 and our application Nifi version 1.16.2 hosted on linux server (Red Hat Enterprise Linux Server 7.9) is using commons-text version 1.8 jar file in lib folder.

 

Can anyone please help to figure out the best solution to handle this vulnerability in our production servers: We have few queries for the vulnerability:

 

1:Is the nifi version 1.16.2 application is affected by this vulnerability? 

2: In Nifi configuration files, we are not using any calls related to StringSubstitutor API. Are we still     vulnerable to test4Shell? 

3: If nifi version 1.16.2 vulnerable then can we just replace the commons-text jar file from 1.8 to 1.10 in nifi 1.16.2. Is there any impact of this in our prod servers?

 

Please do let us know on this vulnerability for nifi 1.16.2. If it is impacting nifi 1.16.2 version then what would be the best solution to mitigate this vulnerability.

 

 

 

Vulnerability Details:

Release Date: 18th October 2022

CVE Detail: CVE-2022-42889

CVSS Score: Critical (9.8)

Affected Products:

* Apache Commons Text versions 1.5 through 1.9

 

* This vulnerability is a remote code execution (RCE) vulnerability, that arises from insecure implementation of Commons Text's variable interpolation functionality, where some default lookup strings could potentially accept untrusted input from remote attackers, such as DNS requests, URLs, or inline scripts and can allow an attacker to execute arbitrary scripts passed to the created interpolator object.

* This vulnerability exists in the StringSubstitutor interpolator object.

 

Recommendation:

* Upgrade immediately to Apache Commons Text version 1.10.0

Ref: https://www.imperva.com/blog/apache-commons-text-vulnerability-cve-2022-42889/

Ref: https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/#:~:text....

 

Thank you!

Girish

1 ACCEPTED SOLUTION

avatar

@Girish007 Sorry, no.

I can't suggest any other fix that you can implement in your production environment to mitigate the  Log4shell vulnerability. And I would go further and say that I seriously doubt that anyone in a responsible position is going to tell you that you don't "really need to upgrade [y]our current nifi version 1.16.2 to a newer version" in spite of the fact that this specific situation is a great example of how a supposed "important" vulnerability brought to light by certain security scan applications really isn't actually relevant due to the specific way the library is used in a delivered system (which was the point I was trying to make earlier in this thread).

I have no doubt at all as to the accuracy of the assessment in the aforementioned Jira, and I also would strongly recommend that you plan to upgrade your current nifi version. My current understanding is that NiFi 1.19.0 included the library upgrade, and the forthcoming CFM 2.1.5.0 version will also include Apache Commons Text 1.10.0.

 

 

Bill Brooks, Community Moderator
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

10 REPLIES 10

avatar
Explorer

Can you directly replace it with commons-text-1.10.0.jar in the lib directory without upgrading NIFI?