Technical Service Bulletin (2022-631) (Security) - CVE-2022-42889 - Apache Commons Text

Products affected: 

• Cloudera Data Platform (CDP) Private Cloud Base
• Cloudera Distributed Spark (CDS) for CDP
• Cloudera Flow Management (CFM)
• Cloudera Edge Management (CEM)
• Hortonworks DataFlow (HDF)
• Cloudera Streaming Analytics (CSA)
• Cloudera Streams Messaging (CSM)
• Cloudera Stream Processing (CSP) 
• Ambari
• AM2CM tool

Releases affected: 

• CDP Private Cloud Base from 7.1.1 through 7.1.8 Cumulative Hotfix (CHF)1
• CFM 2.1.4 and lower versions
• CFM 2.2.5 and lower versions
• CEM 1.4.1 and lower versions
• All HDF versions
• All CSM Versions 
• CSA 1.8.0
• CSP 2.0
• Ambari 7.1.x
• AM2CM from 2.1.0.0 through 2.3.0.0 (AM2CM is not bound to any platform or product, and it is downloaded separately. It is a migration utility and once migration is successfully completed, AM2CM can be stopped and removed)

Impact:

• Apache Hue
  • The Query Processor service of Hue uses Apache Commons Text 1.9 exclusively for configuration interpolation. This means that the Query Processor may be vulnerable to remote code execution if untrusted configuration values are used.
• Data Analytic Studio (DAS)
  • DAS uses Apache Commons Text 1.9 exclusively for configuration interpolation. This means that DAS may be vulnerable to remote code execution if untrusted configuration values are used.
• Kafka Connect
  • Kafka Connect uses Apache Commons Text as a transitive dependency through Apache NiFi. NiFi does not expose the vulnerable functionality.
• Streams Messaging Manager (SMM) 
  • SMM uses Apache Commons Text as a transitive dependency of Dropwizard. Dropwizard uses Commons Text for configuration interpolation. SMM does not use any of the affected interpolators in its Dropwizard configuration.
• Streams Replication Manager (SRM)
  • SRM uses Apache Commons Text as a transitive dependency of Dropwizard. Dropwizard uses Commons Text for configuration interpolation. SRM does not use any of the affected interpolators in its Dropwizard configuration.
• CEM-Stack
  • Edge Flow Manager (EFM) uses Apache Commons Text with version 1.9, but it is limited to Map value lookups and does not support vulnerable prefixes described for StringLookup.
• Schema Registry
  • Schema Registry uses Apache Commons Text as a transitive dependency of Dropwizard. Dropwizard uses Commons Text for configuration interpolation. Schema Registry does not use any of the affected interpolators in its Dropwizard configuration.
• CDF, CFM, HDF, and any NiFi-based products
  • Apache NiFi and NiFi Registry do not expose the vulnerability through its components even though Apache Commons Text is a transitive dependency for some components.
• CSA
  • Apache Flink has Apache Commons Text as a transitive dependency through its NiFi connector, but it does not expose the vulnerability.
  • SQL Stream Builder (SSB) uses Apache Commons Text during the Database migration process, but that is not exposed at all and that code is not part of the running application. 
• Apache Solr
  • Lucene-Solr repository uses a vulnerable version of Apache Commons Text.
  • Search, Spark-Solr, Hive-Solr and HBase-Solr uses Apache Commons Text as a transitive dependency through Lucene-Solr.
  • CDP Private Cloud versions until 7.1.7 Service Pack (SP)1 and CDP Public Cloud versions until 7.2.15 are affected.
• Apache Atlas
  • Atlas uses a vulnerable version of Apache Commons Text as a transitive dependency from JanusGraph, Apache Commons Configuration 2, opencsv dependency
  • CDP Private Cloud versions until 7.1.7 Service Pack 1 and CDP Public Cloud versions until 7.2.15 are affected.
• Apache Spark3
  • CDP Private Cloud Base 7.1.7 and 7.1.8 do not contain Spark3.
  • CDP Public Cloud versions up to 7.2.15 are affected as they contain Spark3, which utilizes a vulnerable version of Apache Commons Text. Spark3 does not directly use the problematic string interpolation; user code however, could potentially use it.
  • CDS versions up to 3.2.2 and 3.3.1 are also affected in the same way: Spark3 utilizes a vulnerable version of Apache Commons Text, however Spark3 does not directly use the problematic string interpolation; user code however, could potentially use it.
• CDW
  • CDW does not use Apache Commons Text directly, but is impacted through the dependencies (such as Hue).
• AM2CM
  • Apache Commons Text is not used for the classic two-stage upgrade, the AM2CM tool is not affected. The experimental one-stage upgrade is affected, but that is not officially supported, and the feature is turned off. 

Users affected: 

• Users of the affected releases identified above

Remediation/solution:

• The Apache Commons Text version will be upgraded to 1.10.0 in CDP Private Cloud Base 7.1.7 SP1 CHF20, 7.1.8 CHF2 and upcoming 7.1.7 SP2
• The Apache Commons Text version will be upgraded in CDS 3.2.2 and CDS 3.3.1
• The Apache Commons Text dependency will be upgraded across NiFi-based products with the next releases based on Apache NiFi 1.18 (CDF-PC-2.3.0, CFM 2.1.5 and 2.2.6)

Recommended Actions:

• Upgrade the environments to the versions containing the fix once they are available.
• Scan custom SMM, SRM, and Schema Registry configurations to ensure that they do not use any of the vulnerable interpolator implementations, such as script, Domain Name System (DNS), Uniform Resource Locator (URL).