CVE-2022-42889: Apache Commons Text vulnerability

Problem

DATASTAX SUPPORT ALERT - 10/21/22

**** CVE-2022-42889: Apache Commons Text vulnerability

 ****

If you have questions, contact DataStax Support

Please ensure that you completely read this alert and take appropriate action if you are impacted by this issue.

Issue:

A vulnerability has been identified in Apache Commons Text. CVE-2022-42889

The affected file is included in DSE as a part of DSEFS functionality. 

Affected Versions:

• DataStax Enterprise Versions 6.0.8 - 6.0.18, 6.7.4 - 6.7.17, 6.8.0 - 6.8.26

Fixed Versions:

• DataStax Enterprise Version 6.8.27

Background:

This CVE takes advantage of text interpolators to execute malicious code. While this library is used in DSEFS, it is only used to capitalize header names with WordUtils. We do not make use of text interpolators. 

Mitigation:

DSE does not utilize any of the functionality of commons-text that would create a risk of exploitation. It is totally safe to ignore this CVE in the context of using DSE. DSEFS can continue to be safely used on any version of DSE without concern. 

If you have questions or concerns, contact DataStax Support by opening a ticket in the DataStax Support Portal.

Last Reviewed Date: November 10th 2023