Vulnerability Update - Apache Commons Text (CVE-2022-42889)

Background

A critical vulnerability has been published in the Apache Commons Text library in versions prior to 1.10.0.

This library is used indirectly in Panintelligence software as a dependency of another library we use.

We have conducted an analysis of our usage of the parent library, and we DO NOT believe there is any way this issue could be exploited in our software because our use is minimal and does not include untrusted input.

Having said that; to provide reassurance we will be integrating the newly published version at the earliest opportunity. We will provide a further update on that in due course

Events

To help keep customers informed of our latest responses to the issue, we have created an events table to detail the key steps we have/are taking

Date

Event

Date

Event

Oct 20, 2022

We became aware of a vulnerability https://nvd.nist.gov/vuln/detail/CVE-2022-42889 from Apache, and started to investigate

Oct 20, 2022

Assessment of possible impact completed, and understood

Oct 20, 2022

Decision made to upgrade the library as a precaution and provide greater resilience. To be included in a patch of our standard October 22 release

Oct 20, 2022

Development in progress on a pi.2022-10-12.2 release

Oct 24, 2022

Patch pi.2022-10.12.2 released