Problem:
commons-text-1.9.jar is not secure anymore according to
CVE-2022-42889
Expected outcome:
candlepin using commons-text-1.10.jar or later
Foreman and Proxy versions:
foreman 3.4.0 / Katello 4.2.3
Distribution and version:
CentOS-8/ Rocky-8 /
Hi Andre,
I put it onto foreman-security@googlegroups.com to get clarification. I currently assume that candlepin sufficiently sanitizes input into Apache Commons Text library, making it less vulnerable (see also Red Hat Satellite on the list of affected Packages: Red Hat Customer Portal - Access to 24x7 support and knowledge ).
I’ll post here, if I here anything different.
2 Likes
hi @m-bucher ,
Do you know if there are any updates about this issue?
Kind regards,
Andre
The library is a dependency of a dependency of Candlepin.
From what I know the Candlepin-team aims to update the dependency for next release. Whether they will also backport it to stable foreman/katello-versions, I have no information.
As far as I see they already have merged the fix (or better the dependency upgrade) into master:
candlepin:master
← candlepin:dependabot/gradle/master/org.apache.activemq-artemis-server-2.27.0
opened 01:08PM - 15 Nov 22 UTC
Bumps [artemis-server](https://github.com/apache/activemq-artemis) from 2.26.0 t… o 2.27.0.
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/apache/activemq-artemis/commit/1fd6cb6239803fad98f7202aade6df448d4bc5fa"><code>1fd6cb6</code></a> [maven-release-plugin] prepare release 2.27.0</li>
<li><a href="https://github.com/apache/activemq-artemis/commit/03dec4e2d0ee4a5566d38425b5e1d9cda519bb8a"><code>03dec4e</code></a> ARTEMIS-4081 Comparing upgrades against fresh instances and some adjustments</li>
<li><a href="https://github.com/apache/activemq-artemis/commit/304033673c9d1a2f59a403568dd9ce52c25ab44d"><code>3040336</code></a> ARTEMIS-4081: some small cleanups and fixups</li>
<li><a href="https://github.com/apache/activemq-artemis/commit/97e0a3d7f29b03840474f724a79f5879152a09a1"><code>97e0a3d</code></a> ARTEMIS-4081, ARTEMIS-4020: update versions/update docs around new upgrade he...</li>
<li><a href="https://github.com/apache/activemq-artemis/commit/60c544272cf771e3daecdfea5fa93fcf1bfb1240"><code>60c5442</code></a> Fix and rewrite the config-delete-* docs</li>
<li><a href="https://github.com/apache/activemq-artemis/commit/d3e0ca3e1137356f493b7b4d0e4f60a0abad8f86"><code>d3e0ca3</code></a> ARTEMIS-4071 Fix erroneus audit log messages due to console logouts</li>
<li><a href="https://github.com/apache/activemq-artemis/commit/9c88fb4f88ce1827d470ceee832e2efb4f5b3980"><code>9c88fb4</code></a> ARTEMIS-4081 Upgrade command</li>
<li><a href="https://github.com/apache/activemq-artemis/commit/db1338af5227fc016cf4ab37b2230a837f863688"><code>db1338a</code></a> ARTEMIS-4020 Fixing Management DTO Parsing with custom ETC</li>
<li><a href="https://github.com/apache/activemq-artemis/commit/38fc74749b6eb5f5e02f21ff2193073cb682bb28"><code>38fc747</code></a> ARTEMIS-4079 quick semantic fix</li>
<li><a href="https://github.com/apache/activemq-artemis/commit/d7e02ca9fb18ab4a970e86c6a8d28da53b3b23d1"><code>d7e02ca</code></a> ARTEMIS-4079 CLI retry doesn't work sometimes</li>
<li>Additional commits viewable in <a href="https://github.com/apache/activemq-artemis/compare/2.26.0...2.27.0">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
</details>
1 Like
Good day,
Thanks for answering my last questions.
I just updated foreman to 3.5 .1 and katello to 4.7.
I do see that candlepin in the repo still is on 4.2.3-1. (makes me a little sad)
I guess that removing commons-text-1.9.jar will destroy the running config.
I think I’ll try to replace commons-text-1.9 with 1.10 to avoid security issues.
(the security team really want that 1.9 gone).
Or would you try to fix this another way?
Kind regards,
I think I’ll try to replace commons-text-1.9 with 1.10 to avoid security issues.
I guess that is the best strategy for now. I have not tested it myself, but as long as the interfaces have not changed, it should be fine.
1 Like
Hello, I am also under pressure of the security department,
in case of replacing of the commons-text-1.9.jar (or commons-text-1.8.jar in my case), is it sufficient to download commons-text-1.10.0-bin.zip from https://dlcdn.apache.org/ and then put commons-text-1.10.jar to /var/lib/tomcat/webapps/candlepin/WEB-INF/lib/ directory and remove the /var/lib/tomcat/webapps/candlepin/WEB-INF/lib/commons-text-1.8.jar ?
Thank you
Jan
What I just did, (some minutes ago)
put the commons-text-1.10.jar in that folder (changed permissions to tomcat:tomcat)
set the 1.9 to my homefolder, and rebooted. (just to be sure).
Everything still seems to work.
4 Likes
em-g
March 28, 2023, 4:51pm
#9
Hello vanginkel,
What do you mean by: “set the 1.9 to my homefolder”?
Many thanks
Hi, I think he means he makes backup of this file into his homefolder. Anyway as far as I know there is already a fix for this issue in the katello 4.7.3
I indeed copied it to my homefolder, as a backup in case it would break katello stuff.