[IGN-6745] Apache Commons Text vulnerability in Ignition?

Hi,

Does somebody have some background information about the vulnerability: CVE - CVE-2022-42889
The Apache Commons Text 1.9 is also used in the latest (8.1.21) Ignition version.
Is this vulnerability a big risk for Ignition?

Some of our customers are getting worried about this vulnerability.
I know the IA software department already has a ticket to fix this issue.
But the customer is considering shutting down the Ignition server until this issue is fixed.
But I'm not sure what to advise them.
Could somebody give some more background on the impact of this vulnerability and Ignition?

From the Apache Commons website:

  • If you rely on software that uses a version of commons-text prior to 1.10.0, you are likely still not vulnerable: only if this software uses the StringSubstitutor API without properly sanitizing any untrusted input.
    Commons Text – Apache Commons Text Security Reports

The closest that would come readily to mind is using QueryStrings in a named query, where you should always sanitze your inputs anyway. But, I don't know if it's using StringSubstitutor or not.

EDIT: I updated the title to reflect which CVE we're talking about.

We reviewed this particular CVE earlier last month--there aren't any usages of the affected functions (StringSubstitutor#createInterpolator to be specific) within Ignition.

9 Likes

It is probably worth making a public news item to that effect.

12 Likes

Please do. I have a client who discovered this vulnerability as well. I would like to provide them with information that is a little more official than a forum discussion.

Thanks to everyone involved for this discussion, I would have had very little to tell our client without it.

2 Likes

Do we have a public statement yet?

7 Likes