2022: Security Advisory: Vulnerability in Apache library.

Owned by Jason Apel, created
Mar 12, 2023

Summary

NT-ware is aware that recently, Apache has released patches for two of their products called “Commons Configurations” and “Commons Text”, both are libraries used by Java developed software.

Advisory release date

October 2022

Product Affected

uniFLOW sysHUB

Products Reviewed

NT-ware Web Sites, uniFLOW Server, uniFLOW Online and PRISMAsatellite

CVE

CVE-2022-33980, CVE-2022-42889

Severity

While these vulnerabilities have been given a Critical rating this if exploitable this is not the case for our implementation. Published CVSS or CVSS Base score: 9.8 for CVE-2022-33980 and CVE-2022-42889.

Summary of Vulnerability

For both libraries, Remote Code Execution vulnerabilities (CVE-2022-33980 and CVE-2022-42889 respectively) are identified that can be misused if the system is directly or indirectly connected to the internet.

We have reviewed our product base and only found these components within uniflow sysHUB.

 

Affected Versions

Product

Affected versions

2022.1 and 2022.2

  • CVE-2022-33980: not affected, the library is not used in the product.

  • CVE-2022-42889: is a delivered library in the product but not easily exploitable because the affected functions are not actively used in the product.

  

Fixed Versions

Product

Fix versions

Version 2022.2.1

  • With an abundance of caution NT-ware recommends that customers replace the commons-text.jar from our download portal while the final patch is rolled out in the next Service Release.

  • We will replace the libraries with the next service release in 2022.2.1.

 

What You Need to Do

Pleaser review the information in the advisory and determine the appropriate action for your organisation.

Mitigation

There are no mitigation actions required, please upgrade your installation when possible.

Support

If you have further questions, please contact your Canon / Canon Business Partner representative.