Upgrade Apache Commons-text for CVE-2022-42889

XMLWordPrintable

    • 8.2
    • 168
    • Severity 3 - Minor
    • 126

      BUG RE-OPENED

      Jira Service Management 5.4.3 ( which was supposed to be fixed at 9.4.3 / 5.4.3 ) is still generating files with common text library of 1.6 version in the /plugins/.osgi-plugins folder. Even after deleting these files, they keep generating them back again in the next restart. Due to this, Security Scans are still detecting vulnerability for CVE-2022-42889.

      find /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/ -iname commons-text-1.6.jar -exec ls -l {} \;
rw-rr-. 1 jira jira 197176 Mar 21 17:01 /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/felix/felix-cache/bundle187/version0.0/bundle.jar-embedded/META-INF/lib/commons-text-1.6.jar
rw-rr-. 1 jira jira 197176 Mar 21 17:02 /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/felix/felix-cache/bundle197/version0.0/bundle.jar-embedded/META-INF/lib/commons-text-1.6.jar
rw-rr-. 1 jira jira 197176 Mar 21 17:02 /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/felix/felix-cache/bundle204/version0.0/bundle.jar-embedded/META-INF/lib/commons-text-1.6.jar
rw-rr-. 1 jira jira 197176 Mar 21 17:02 /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/felix/felix-cache/bundle205/version0.0/bundle.jar-embedded/META-INF/lib/commons-text-1.6.jar
rw-rr-. 1 jira jira 197176 Mar 21 17:01 /data0/atlassian/jira/9.4.3_home/plugins/.osgi-plugins/felix/felix-cache/bundle206/version0.0/bundle.jar-embedded/META-INF/lib/commons-text-1.6.jar

      It has been identified by our Developers at https://asecurityteam.atlassian.net/browse/VULN-1020573 that there are still 5 JAR files from Jira Service Management that needs to be fixed that is generating these common text library of 1.6 version above.

      JIRA_HOME/plugins/installed-plugins/servicedesk-reports-plugin-5.4.3-REL-0001.jar
JIRA_HOME/plugins/installed-plugins/jira-servicedesk-application-5.4.3.jar
JIRA_HOME/plugins/installed-plugins/servicedesk-variable-substitution-plugin-5.4.3-REL-0001.jar
JIRA_HOME/plugins/installed-plugins/servicedesk-search-plugin-5.4.3-REL-0001.jar
JIRA_HOME/plugins/installed-plugins/servicedesk-notifications-plugin-5.4.3-REL-0001.jar
JIRA_HOME/plugins/installed-plugins/servicedesk-reports-plugin-5.4.3-REL-0001.jar

      --------------------------------------------------------------------------------

      DISCLAIMER

      Jira IS NOT VULNERABLE to CVE-2022-42889.

      This bug was created to track the change required to upgrade the Apache Commons Text library and can be used by customers to follow its progress and get notified on the next numbered release.

      Jira does not use the vulnerable module org.apache.commons.text.StringSubstitutor

      Issue Summary

      Apache Common Text library should be upgraded to 1.10.0 or later to mitigate any exploiting attempts listed on CVE-2022-42889

      This is reproducible on Data Center: yes

      Steps to Reproduce

      Check org.apache.commons -> commons-text version on pom.xml

      Expected Results

      apache-common-text 1.10.0+ is expected

      Actual Results

      apache-common-text 1.9 (or earlier) is used

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

            Assignee:
            Filip Nowak
            Reporter:
            Andy Rusnak
            Votes:
            93 Vote for this issue
            Watchers:
            139 Start watching this issue

              Created:
              Updated:
              Resolved: