Community
Select to view content in your preferred language

Is ArcGIS affected by CVE-2022-42889 (Apache Commons Text versions 1.5 through 1.9)

5733
12
Jump to solution
10-21-2022 04:08 AM
DominikWyroba
by
New Contributor
‎10-21-2022 04:08 AM

Hello,

Is there any info if ArcGIS is affected by new vulnerability CVE-2022-42889 (Apache Commons Text versions 1.5 through 1.9)?

0 Kudos
12 Replies
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎12-07-2022 07:12 AM

While Commons-text is utilized across a number of ArcGIS products, we have validated that the base ArcGIS Enterprise deployment (Portal for ArcGIS, ArcGIS Server, ArcGIS Datastore) and ArcGIS Pro are not vulnerable.  A security scanner run against these products may incorrectly flag the vulnerability as present.  This is because some security scanners detect a vulnerable version of Commons-text, however we have confirmed that the library, when present in these products, is not used a way that would make it vulnerable to this CVE.

According to CISA's Known Exploitable Vulnerability Catalog, this issue is not known to have been exploited in the wild in any product. 

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

 

see:

 

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/commons-text-vulnerability/

0 Kudos
AlexEntringer
by
New Contributor
‎02-01-2023 11:29 AM

We have Microsoft security scanners also telling us that this is vulnerable. I know you say that the version that is in use isn't but are their plans to update to a 'Secured' version. I also have to explain why we are not getting things patched or fixed. Stating it isn't vulnerable doesn't make it go away on the dashboard and then the conversation comes back again asking why this isn't fixed. It would be great if the Commons-text gets updated so that one less thing is showing up on security scanners. 

0 Kudos
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎02-01-2023 01:02 PM

Hi Alex,

As part of our regular 3rd party component update cadence, we are moving to commons-text 1.10 at version ArcGIS enterprise 11.1. Feel free to use the text in the advisory on the ArcGIS Trust Center when speaking to your IA team.

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/commons-text-vulnerability/

In terms of CISA's Vulnerability Exploitability eXchange (VEX) - Status Justifications, our software is not affected by this issue because the Vulnerable_code_cannot_be_controlled_by_adversary.

0 Kudos