-
Bug
-
Resolution: Fixed
-
Highest
-
7.13.11, 7.19.2
-
28
-
Severity 3 - Minor
-
250
-
DISCLAIMER
Confluence IS NOT VULNERABLE to CVE-2022-42889.
This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.
Confluence does not use the vulnerable module org.apache.commons.text.StringSubstitutor
Issue Summary
Apache Common Text library should be upgraded to 1.10.0 or later to mitigate any exploiting attempts listed on CVE-2022-42889
Steps to Reproduce
Check org.apache.commons -> commons-text version on pom.xml
Expected Results
apache-common-text 1.10.0+ is expected
Actual Results
apache-common-text 1.9 (or earlier) is used
Workaround
Currently, there is no known workaround for this behavior. A workaround will be added here when available
- is duplicated by
-
-
- Closed
-
- is related to
-
-
- Closed
-
- relates to
-
-
- Closed
-
- follows
-
VULN-1021427 Failed to load
- mentioned in
-
Page Failed to load
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[CONFSERVER-81048] Upgrade Apache Commons-text for CVE-2022-42889
This problem was partially fixed in 7.13.12, 7.19.4, 7.20.2, and 8.0.0, but as you have mentioned, we missed updating embedded copies of this library in several components. The complete fix, including updates to the remaining components, has now shipped in 7.13.13, 7.19.5, and 8.1.0. I will fix the fix versions of this issue accordingly.
I want to stress again that Confluence DC was never vulnerable to this issue, as we do not invoke the affected code path.
Exact, please reopen because 7.13.12 still have synchrony-proxy and some system plugins vulnerable (either provide update of these plugins on the marketplace or include them in a future 7.13.x release)
Hello,
Thanks for you quick response. In this case I see some systems plugins, for example. OAuth athentication
/data0/atlassian/confluence/7.19.4/plugins-osgi-cache/felix/felix-cache/bundle158/version0.0/atlassian-oauth-service-provider-plugin-4.5.2.jar-embedded/META-INF/lib/commons-text-1.9.jar
In my understand Atlassian should work on it.
Juan Pablo,
For the last line, you have to update the gliffy plugin. Fix for common text is in 9.7.2.
All the other plugins are the responsibility of Atlassian and it is incredible that they did not fix the dependencies of all their plugins 
We can find the exact same entries with 7.13.12.
Hello,
The vulmarability is still present in the version 7.19.4:
/data0/atlassian/confluence/7.19.4/install/confluence/WEB-INF/lib/commons-text-1.10.0.jar
/data0/atlassian/confluence/7.19.4/install/synchrony-proxy/WEB-INF/lib/commons-text-1.9.jar
/data0/atlassian/confluence/7.19.4/plugins-osgi-cache/felix/felix-cache/bundle142/version0.0/atlassian-gadgets-opensocial-plugin-7.0.6.jar-embedded/META-INF/lib/commons-text-1.7.jar
/data0/atlassian/confluence/7.19.4/plugins-osgi-cache/felix/felix-cache/bundle158/version0.0/atlassian-oauth-service-provider-plugin-4.5.2.jar-embedded/META-INF/lib/commons-text-1.9.jar
/data0/atlassian/confluence/7.19.4/plugins-osgi-cache/felix/felix-cache/bundle165/version0.0/atlassian-nav-links-plugin-7.1.2_1669095562000.jar-embedded/META-INF/lib/commons-text-1.5.jar
/data0/atlassian/confluence/7.19.4/plugins-osgi-cache/felix/felix-cache/bundle309/version0.0/1647539010207gliffy-confluence-plugin-9.7.1_1647539010207.jar-embedded/META-INF/lib/commons-text-1.9.jar
Could you help us to resolved the vulnerability? all commons-text libraries has to be upgrade.
Hi richatkins, et al, could you please see my comment above and reopen this issue so the issue can be addressed?
Rgds
Hi, I have just unzipped atlassian-confluence-7.19.4 and, given that the affected versions run from v1.5 through to v1.9, i would not expect to see any of these versions in the release:
$>find . -name "*commons-text*"
./licenses/org.apache.commons--commons-text–1.6.txt
./licenses/org.apache.commons--commons-text–1.7.txt
./licenses/org.apache.commons--commons-text–1.5.txt
./licenses/org.apache.commons--commons-text–1.10.0.txt
./licenses/org.apache.commons--commons-text–1.9.txt
./confluence/WEB-INF/lib/commons-text-1.10.0.jar
./synchrony-proxy/WEB-INF/lib/commons-text-1.9.jar
Please advise?
Also, is there any way you can run the package/zip through virusTotal ( https://www.virustotal.com/gui/file/0812f284ac5dd0d617461d9a2ab6ac6811137f25122dfffd4788a4871e732d00 ) once a new zip has been produced?
Rgds
A fix for this issue is available in Confluence Server and Data Center 7.13.12.
Upgrade now or check out the Release Notes to see what other issues are resolved.
I urge everyone to remember to click 'MORE > Add Vote' at the top of this page.
Do the same on the following two pages:
If you also use Jira > https://jira.atlassian.com/browse/JRASERVER-74501
The CVE in general > 'Upgrade Apache Commons-text for CVE-2022-42889 > https://jira.atlassian.com/browse/CWD-5892
This issue remains on most Atlassian products. My Crowd instance doesn't have external plugins but this is not fixed in native Oauth plugin even with latest version of crowd,
.../caches/felix/felix-cache/bundle32/version0.0/atlassian-oauth-service-provider-plugin-5.0.0.jar-embedded/META-INF/lib/commons-text-1.9.jar
This issue exists on all Atlassian Datacenter products. Hope Atlassian addresses this soon.