Description
Versions 1.5 through 1.9 of Apache Commons Text are affected by a vulnerability (CVE-2022-42889 "Text4Shell") that allows a remote attacker to execute arbitrary code under certain conditions. An update of Commons Text to version 1.10 fixes the vulnerability.
Current information from SER Development (as of 11/7/2022):
- The affected class "org.apache.commons.text.StringSubstitutor" is not used in SER sources for Doxis Suite.
- Therefore, there is currently no specific recommended action, as there is no significant risk of an attack vector.
- With version 12.1.0 (as of Q1/2023), Doxis Suite products use version 1.10.0 of org.apache.commons.commons-text, in which the vulnerability is fixed.
- In the Doxis Java API environment, an older version of org.apache.commons.commons-text can be replaced with version 1.10.0. Quality assurance is the responsibility of the customer for all in-house developments. Changes should be tested accordingly in advance.
Further links
Downloads