Apache Commons-Text - CVE-2022-42889 - CVSS9.8

Checking around, I don’t see any discussions about the Apache Commons-Text vulnerability CVE-2022-42889 (NVD - CVE-2022-42889). Scanning the 4.7 code, I do see version 1.6 of ‘commons-text’ is in use in the ‘xmppserver’ folder of the repo. This is a vulnerable version (1.5-1.9: https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om). What is the impact of the vulnerability, the scope of work to remediate, and what timeline are we looking at for a bugfix release?



Hi Greg,

We have analyzed the usage of the library in Openfire. The affected code from that library does not seem to be used in Openfire. Nonetheless, we will upgrade the library in the next release of Openfire. That change has been applied to the source code earlier today.

Thanks, @guus ! We came to the same conclusion while reviewing the code usage in Openfire as well as our app which interfaces with Openfire. I will provide this information to our Security team for tracking. thanks again!


Thanks for the information @guus! Do you know if it’s possible that openfire could actually indeed be vulnerable to cve-2022-42889? or perhaps is it possible that someone could misconfigure openfire to be vulnerable to cve-2022-42889?

I’m currently involved in investigating a incident where Openfire was compromised and leveraged to execute further malicious commands typically observed after initial exploitation. Any further information you can provide is much appreciated - thanks!

Even though Openfire does not directly seem to invoke the affected code, it does make that code available. This could lead to indirect use, for example by third party plugins. Far-fetched, but not out of the realm of the possible.

I am interested in learning more about the issue that you are investigating, and particularly in how you have established that the exploitation happened through Openfire. Can you elaborate more, for example through our security mailbox (security at IgniteRealtime)?

1 Like