Vulnerability Update - Apache Commons Text (CVE-2022-42889)
- Karen Hogan (Unlicensed)
- Adam Voakes
Background
A critical vulnerability has been published in the Apache Commons Text library in versions prior to 1.10.0.
This library is used indirectly in Panintelligence software as a dependency of another library we use.
We have conducted an analysis of our usage of the parent library, and we DO NOT believe there is any way this issue could be exploited in our software because our use is minimal and does not include untrusted input.
Having said that; to provide reassurance we will be integrating the newly published version at the earliest opportunity. We will provide a further update on that in due course
Events
To help keep customers informed of our latest responses to the issue, we have created an events table to detail the key steps we have/are taking
Date | Event |
|---|---|
Oct 20, 2022 | We became aware of a vulnerability https://nvd.nist.gov/vuln/detail/CVE-2022-42889 from Apache, and started to investigate |
Oct 20, 2022 | Assessment of possible impact completed, and understood |
Oct 20, 2022 | Decision made to upgrade the library as a precaution and provide greater resilience. To be included in a patch of our standard October 22 release |
Oct 20, 2022 | Development in progress on a pi.2022-10-12.2 release |
Oct 24, 2022 | Patch pi.2022-10.12.2 released |
CUSTOMER NEWS - Our August 24 Release Is Now Available - Download It Now!