Overview

The purpose of this document is to provide remediation steps for CVE-2022-42889, a vulnerability that affects Lumada Data Catalog v6.1.1. The vulnerability could potentially allow unauthenticated attackers to execute code remotely on servers running applications with the affected component.

 

Products Affected 

LDC 6.1.1 - LDC 6.1.1 HF14

 

Description
Apache Commons text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Starting with version 1.5 and continuing through 1.9, the set of default lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with removed servers if untrusted configuration values are used. Users are recommended to upgrade Apache Commons text 1.10.0, which disables the problematic interpolators by default.

For more information on this CVE, refer to: https://nvd.nist.gov/vuln/detail/cve-2022-42889.

 

Resolution

Replace the LDC Agent’s copy of Apache Commons Text jar v1.8 with Apache Commons Text v.1.10.0.

 

Installation Steps
Step 1:
➢ If running, stop the LDC agent:
<Agent Dir>$ bin/agent stop
Step 2:
➢ Remove the Commons-text-1.8.jar from agent dependencies:
$ rm <Agent Dir>/lib/dependencies/commons-text-1.8.jar
Step 3:
➢ Download the upgraded version of Commons-text jar and copy to <Agent Dir>/lib/dependencies/
$ cd <Agent Dir>/lib/dependencies
$ wget https://repo1.maven.org/maven2/org/apache/commons/commons-text/1.10.0/commons-text-1.10.0.jar
Step 4:
➢ Start the LDC agent
<Agent Dir>$ bin/agent start

 

Note: Future versions of LDC and its hotfixes will include versions of Apache Commons Text that are not susceptible to the vulnerability documented in CVE-2022-42889. Please follow the Installation Steps to resolve the vulnerability issue in existing instances.