NT-ware is aware that recently, Apache has released patches for two of their products called “Commons Configurations” and “Commons Text”, both are libraries used by Java developed software.
Advisory release date
NT-ware Web Sites, uniFLOW Server, uniFLOW Online and PRISMAsatellite
While these vulnerabilities have been given a Critical rating this if exploitable this is not the case for our implementation. Published CVSS or CVSS Base score: 9.8 for CVE-2022-33980 and CVE-2022-42889.
Summary of Vulnerability
For both libraries, Remote Code Execution vulnerabilities (CVE-2022-33980 and CVE-2022-42889 respectively) are identified that can be misused if the system is directly or indirectly connected to the internet.
We have reviewed our product base and only found these components within uniflow sysHUB.
2022.1 and 2022.2
CVE-2022-33980: not affected, the library is not used in the product.
CVE-2022-42889: is a delivered library in the product but not easily exploitable because the affected functions are not actively used in the product.
With an abundance of caution NT-ware recommends that customers replace the commons-text.jar from our download portal while the final patch is rolled out in the next Service Release.
We will replace the libraries with the next service release in 2022.2.1.
What You Need to Do
Pleaser review the information in the advisory and determine the appropriate action for your organisation.
There are no mitigation actions required, please upgrade your installation when possible.
If you have further questions, please contact your Canon / Canon Business Partner representative.