[
https://issues.apache.org/jira/browse/GEODE-10448?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexander Murmann updated GEODE-10448:
--------------------------------------
Labels: needsTriage (was: )
> CVE-2022-42889 Apache Commons Text security vulnerability in Apache Geode
> -------------------------------------------------------------------------
>
> Key: GEODE-10448
> URL: https://issues.apache.org/jira/browse/GEODE-10448
> Project: Geode
> Issue Type: Bug
> Components: pulse, tools
> Affects Versions: 1.15.1
> Reporter: Eli
> Priority: Major
> Labels: needsTriage
>
> I have encountered the security vulnerability
> [CVE-2022-42889|https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om]
> related to Apache Commons Text. It is mentioned that the mitigation is to
> "Upgrade to [Apache Commons Text
> 1.10.0|https://commons.apache.org/proper/commons-text/download_text.cgi].";
> because the following jar files are present.
> <GEODE_HOME>/locator01/GemFire_gemfire/services/http/0.0.0.0_7070_pulse_xxxxxxxx/webapp/WEB-INF/lib/commons-text-1.9.jar
>
> <GEODE_HOME>/locator01/GemFire_root/services/http/0.0.0.0_7070_pulse_xxxxxxxx/webapp/WEB-INF/lib/commons-text-1.9.jar
> The latest official [Apache Geode version
> 1.15.1|[https://apache.org/dyn/closer.cgi/geode/1.15.1/apache-geode-1.15.1.tgz|https://urldefense.com/v3/__https:/apache.org/dyn/closer.cgi/geode/1.15.1/apache-geode-1.15.1.tgz__;!!OrxsNty6D4my!7476fkBhS9dRAajU_LNsgk5KeehflkDwT1rsdOg5_lmW9F-rnt-zPr7K5J66Ylc8jzr9eR10QsOBYlTmJR0Y8tDl8ik$]]
> has the vulnerable file commons-text-1.9.jar, which falls under the affected
> range “version 1.5 and continuing through 1.9”. Inside the folder
> <GEODE_HOME>/tools/Pulse, there is the file geode-pulse-1.15.1.war. Inside
> that war file, there is the file
> geode-pulse-1.15.1.war/WEB-INF/lib/commons-text-1.9.jar.
> As a temporary workaround, I replaced the file commons-text-1.9.jar with
> commons-text-1.10.0.jar, updated the MANIFEST.MF file under
> geode-pulse-1.15.1.war/META-INF, and created a new geode-pulse-1.15.1.war
> file including the 2 updated files mentioned.
> Unfortunately, I’m not a developer. I’m not familiar with Github, so as much
> as I would like to help in contributing in the code, there is a more
> appropriate person to perform the update to commons-text 1.10.0. I have sent
> a mail to ASF Security Team, and I was given this
> [link|[https://github.com/apache/geode/blob/master/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy#L144|https://urldefense.com/v3/__https:/github.com/apache/geode/blob/master/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy*L144__;Iw!!OrxsNty6D4my!6EKoN5DUPbSrn9BPavV5jC0T1h5U4Ih1aqdG5cHGJt2a0fqw2jCVoWL4Nl1lCC4hkzC3buVr9YC30Y_jxCSk43yE-FU$]]
> that shows the dependency on the vulnerable commons-text version 1.9.
> Can somebody assist in fixing this security vulnerability? Thank you in
> advance!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
