The purpose of this document is to provide remediation steps for CVE-2022-42889, a vulnerability that affects Lumada Data Catalog v6.1.1. The vulnerability could potentially allow unauthenticated attackers to execute code remotely on servers running applications with the affected component.
LDC 6.1.1 - LDC 6.1.1 HF14
Apache Commons text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Starting with version 1.5 and continuing through 1.9, the set of default lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with removed servers if untrusted configuration values are used. Users are recommended to upgrade Apache Commons text 1.10.0, which disables the problematic interpolators by default.
For more information on this CVE, refer to: https://nvd.nist.gov/vuln/detail/cve-2022-42889.
Replace the LDC Agent’s copy of Apache Commons Text jar v1.8 with Apache Commons Text v.1.10.0.
➢ If running, stop the LDC agent:
<Agent Dir>$ bin/agent stop
➢ Remove the Commons-text-1.8.jar from agent dependencies:
$ rm <Agent Dir>/lib/dependencies/commons-text-1.8.jar
➢ Download the upgraded version of Commons-text jar and copy to <Agent Dir>/lib/dependencies/
$ cd <Agent Dir>/lib/dependencies
$ wget https://repo1.maven.org/maven2/org/apache/commons/commons-text/1.10.0/commons-text-1.10.0.jar
➢ Start the LDC agent
<Agent Dir>$ bin/agent start
Note: Future versions of LDC and its hotfixes will include versions of Apache Commons Text that are not susceptible to the vulnerability documented in CVE-2022-42889. Please follow the Installation Steps to resolve the vulnerability issue in existing instances.