Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.15.1
-
None
Description
I have encountered the security vulnerability CVE-2022-42889 related to Apache Commons Text. It is mentioned that the mitigation is to "Upgrade to Apache Commons Text 1.10.0." because the following jar files are present.
<GEODE_HOME>/locator01/GemFire_gemfire/services/http/0.0.0.0_7070_pulse_xxxxxxxx/webapp/WEB-INF/lib/commons-text-1.9.jar <GEODE_HOME>/locator01/GemFire_root/services/http/0.0.0.0_7070_pulse_xxxxxxxx/webapp/WEB-INF/lib/commons-text-1.9.jar
The latest official Apache Geode version 1.15.1 has the vulnerable file commons-text-1.9.jar, which falls under the affected range “version 1.5 and continuing through 1.9”. Inside the folder <GEODE_HOME>/tools/Pulse, there is the file geode-pulse-1.15.1.war. Inside that war file, there is the file geode-pulse-1.15.1.war/WEB-INF/lib/commons-text-1.9.jar.
As a temporary workaround, I replaced the file commons-text-1.9.jar with commons-text-1.10.0.jar, updated the MANIFEST.MF file under geode-pulse-1.15.1.war/META-INF, and created a new geode-pulse-1.15.1.war file including the 2 updated files mentioned.
Unfortunately, I’m not a developer. I’m not familiar with Github, so as much as I would like to help in contributing in the code, there is a more appropriate person to perform the update to commons-text 1.10.0. I have sent a mail to ASF Security Team, and I was given this link that shows the dependency on the vulnerable commons-text version 1.9.
Can somebody assist in fixing this security vulnerability? Any help is very much appreciated. Thank you in advance!