Security Vulnerability detected on commons-text-1.7.jar CVE-2022-42889
Description
Security software flags a vulnerability in the vault\lib folder for the Endpoint Cloud Vault and Protection Agent for the Apache Commons Text vulnerability.
Note
Endpoint Cloud is NOT vulnerable to this security issue, and can be whitelisted without concern.
How to identify the problem
This issue is found in the reporting from Microsoft Defender (or other Security software), flagged as CVE-2022-4288
What causes this vulnerability to be flagged?
In order to exploit the vulnerabilities, the following requirements must be met:
- Run a version of Apache Commons Text from version 1.5 to 1.9
- Use the StringSubstitutor interpolator
How does Endpoint Cloud handle these conditions?
Protection Agent
- The agent-client-test-utils module depends directly on commons-text, but it is just a testing module that is not used for the running application.
- The vulnerable StringSubstitutor class isn’t used.
- The agent-client-application module also makes use of the WordUtils class transitively, but WordUtils does NOT suffer from this vulnerability.
Vault
- The commons-text dependency is a transitive dependency from the micrometer-registry-datadog dependency, but it's not directly used in any of the source code.
- We don’t configure metrics from Vault to be sent to Datadog and we don’t use it.
- The commons-text dependency is a transitive dependency from the commons-configuration2 dependency, and does not make use of the vulnerable StringSubstitutor class.
Check if the problem has been fixed
The Vault and Protection Agent can be whitelisted in your security software without concern. The report should run clean afterwards.