This document describes our position relative to the support of a Trellix product or service.
Trellix response to Apache Commons Text Vulnerability CVE-2022-42889:
Overview
This document addresses concerns about on-prem ePolicy Orchestrator (ePO) and the Apache Commons Text vulnerability documented in
CVE-2022-42889.
Description
CVE-2022-42889
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "
${prefix:name}", where
"prefix" is used to locate an instance of
org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are:
"script" - execute expressions using the JVM script execution engine (javax.script), "DNS" - resolve DNS records, "URL" - load values from URLs, including from remote servers Applications using the interpolation defaults in the affected versions might be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. It's recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
Research and Conclusions
ePO doesn't use the Apache Commons Text library. So, ePO isn't vulnerable to CVE-2022-42889.