[IGN-6745] Apache Commons Text vulnerability in Ignition?

Hi,

Does somebody have some background information about the vulnerability: CVE - CVE-2022-42889
The Apache Commons Text 1.9 is also used in the latest (8.1.21) Ignition version.
Is this vulnerability a big risk for Ignition?

Some of our customers are getting worried about this vulnerability.
I know the IA software department already has a ticket to fix this issue.
But the customer is considering shutting down the Ignition server until this issue is fixed.
But I'm not sure what to advise them.
Could somebody give some more background on the impact of this vulnerability and Ignition?

From the Apache Commons website:

  • If you rely on software that uses a version of commons-text prior to 1.10.0, you are likely still not vulnerable: only if this software uses the StringSubstitutor API without properly sanitizing any untrusted input.
    Commons Text – Apache Commons Text Security Reports

The closest that would come readily to mind is using QueryStrings in a named query, where you should always sanitze your inputs anyway. But, I don't know if it's using StringSubstitutor or not.

EDIT: I updated the title to reflect which CVE we're talking about.

We reviewed this particular CVE earlier last month--there aren't any usages of the affected functions (StringSubstitutor#createInterpolator to be specific) within Ignition.

10 Likes

It is probably worth making a public news item to that effect.

13 Likes

Please do. I have a client who discovered this vulnerability as well. I would like to provide them with information that is a little more official than a forum discussion.

Thanks to everyone involved for this discussion, I would have had very little to tell our client without it.

2 Likes

Do we have a public statement yet?

7 Likes

Was the fix implemented in an Ignition release? I saw it listed in one of the nightly updates. I would assume it has made it into the full releases by now, but can someone please verify that? My client continues to be concerned about this issue.

I'll keep searching and post here if I find verification.

See here:

V8.1.23+ is now dependent on Apache commons-text library version 1.10.0 which addresses the vulnerability.

1 Like

Also in the official release notes.

1 Like

Thank you. I was looking for first verification and then something I can pass on to our client to let them know the patch has now been installed in the regular monthly Ignition releases. That confirms that it went into a nightly updates, and it makes sense that it would be in the full 8.1.23 release after that.

That's the document I need to show that the ugrade is in the newer releases of Ignition (8.1.23+).

Thank you.