You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ignite.apache.org by Raymond Wilson <ra...@trimble.com> on 2022/10/31 05:27:58 UTC

Pending critical volnerabilities for OpenSSL and Apache Commons Text

In the last few days two new potentially high profile vulnerabilities have
come forth from OpenSSL & Apache.


We are currently using Apache Ignite 2.13 and would like to understand if
there is known exposure to the vulnerabilities noted below:



   1.

   The OpenSSL set of libraries has a pending release of a critical
   vulnerability
   <https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html>.



OpenSSL Details:

On Oct 25, 2022 one of the main contributors to the OpenSSL project
released a statement that a CVE is to be released for OpenSSL 3.x branch on
Tuesday Nov 1, 2022.  Currently, details are not released about the
vulnerability, due to embargo giving people time to patch, but it is
currently listed as a critical vulnerability.  Previously critical
vulnerabilities have leaked memory as well as encryption keys, because of
this it is recommended that all libraries be upgraded to 3.0.7 (currently
unreleased, will be released Nov 1) for groups utilizing the 3.x branch. As
per the development team, users using 1.1.1s are currently unaffected by
this vulnerability.



   1.

   The Apache Commons Text Libraries have uncovered and released a fix for
   a critical issue.  The attack vector for this attack is not fully
   understood, and more patches are coming out.


Apache Commons Text Details - CVE-2022-42889
<https://nvd.nist.gov/vuln/detail/CVE-2022-42889>

On Oct 13th, 2022 a vulnerability was published in the Apache Commons Text
library. The vulnerability is related to the use of interpolated strings
that allow for the execution of arbitrary code by an attacker. Any string
that utilizes the library for the interpolation of strings is vulnerable to
the attack. The fix that was supplied by the Apache Software Foundation
addresses the remote code execution vulnerability, however doesn’t address
a secondary attack vulnerability that allows for arbitrary file access by
the attacker.  Teams are recommended to upgrade all instances of the
library to 1.10, with the expectation that they will upgrade to 1.11 as
soon as it is made available.

Thanks,
Raymond.

-- 
<http://www.trimble.com/>
Raymond Wilson
Trimble Distinguished Engineer, Civil Construction Software (CCS)
11 Birmingham Drive | Christchurch, New Zealand
raymond_wilson@trimble.com

<https://worksos.trimble.com/?utm_source=Trimble&utm_medium=emailsign&utm_campaign=Launch>

Re: Pending critical volnerabilities for OpenSSL and Apache Commons Text

Posted by Stephen Darlington <st...@gridgain.com>.
Commons-text is only used for testing the Kubernetes integration and isn’t shipped. Having said that, we should update to a version that isn’t vulnerable when one becomes available. (It’s a transitive dependency. We use the latest version of MockServer, but it has not been patched yet. https://mvnrepository.com/artifact/org.mock-server/mockserver-netty)

I’ll let someone else respond to the OpenSSL vulnerability, as I don’t know for sure. I think Ignite uses Java-native cryptographic functions, so probably not an issue. And if it is, you’d need to update your Java or OS.

Regards,
Stephen

> On 31 Oct 2022, at 05:27, Raymond Wilson <ra...@trimble.com> wrote:
> 
> In the last few days two new potentially high profile vulnerabilities have come forth from OpenSSL & Apache.  
> 
> We are currently using Apache Ignite 2.13 and would like to understand if there is known exposure to the vulnerabilities noted below:
> 
> 
> The OpenSSL set of libraries has a pending release of a critical vulnerability <https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html>.   
> 
> OpenSSL Details:
> 
> On Oct 25, 2022 one of the main contributors to the OpenSSL project released a statement that a CVE is to be released for OpenSSL 3.x branch on Tuesday Nov 1, 2022.  Currently, details are not released about the vulnerability, due to embargo giving people time to patch, but it is currently listed as a critical vulnerability.  Previously critical vulnerabilities have leaked memory as well as encryption keys, because of this it is recommended that all libraries be upgraded to 3.0.7 (currently unreleased, will be released Nov 1) for groups utilizing the 3.x branch. As per the development team, users using 1.1.1s are currently unaffected by this vulnerability.
> 
> 
> The Apache Commons Text Libraries have uncovered and released a fix for a critical issue.  The attack vector for this attack is not fully understood, and more patches are coming out.  
> 
> Apache Commons Text Details - CVE-2022-42889 <https://nvd.nist.gov/vuln/detail/CVE-2022-42889>
> On Oct 13th, 2022 a vulnerability was published in the Apache Commons Text library. The vulnerability is related to the use of interpolated strings that allow for the execution of arbitrary code by an attacker. Any string that utilizes the library for the interpolation of strings is vulnerable to the attack. The fix that was supplied by the Apache Software Foundation addresses the remote code execution vulnerability, however doesn’t address a secondary attack vulnerability that allows for arbitrary file access by the attacker.  Teams are recommended to upgrade all instances of the library to 1.10, with the expectation that they will upgrade to 1.11 as soon as it is made available.
> 
> Thanks,
> Raymond.
> 
> -- 
>  <http://www.trimble.com/>
> Raymond Wilson
> Trimble Distinguished Engineer, Civil Construction Software (CCS)
> 11 Birmingham Drive | Christchurch, New Zealand
> raymond_wilson@trimble.com <ma...@trimble.com>
>  <https://worksos.trimble.com/?utm_source=Trimble&utm_medium=emailsign&utm_campaign=Launch>