CVE-2022-42889: Apache Commons Text RCE when applied to untrusted input - Text4Shell
Overview
CVE CVE-2022-42889
CWE CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSS v3.x 9.8 - Critical
In this article we would like to inform you about the critical vulnerability in the popular library Apache Commons Text (also known as Text4Shell) and its use in Matrix42 products. Apache Commons Text is a library focused on algorithms working on strings. This vulnerability affects all versions between 1.5 and 1.9. A fix is available for the current Apache Commons Text version 1.10.
Matrix42 products affected by the Apache Commons Text vulnerability
Apache Commons Text is not used in Matrix42 products.
| Component | Matrix42 Risk evaluation | Required Actions/Recommendations | Note | Fixed Version | Mitigation |
|
None |
N/A |
N/A |
N/A |
N/A |
N/A |
Next Steps
Matrix42 will continue to provide updates as necessary in this document.
Updates
Update 1 (2022-11-09)
Matrix42 products are not affected by this vulnerability because they don't use Apache Commons Text.
Change log
| Date | Description of change |
| 2022-11-03 | Initial publication |
| 2022-11-09 | Update 1 - Matrix42 products not affected |