Security issue with commons-text provided by katello candlepin = 4.2.3-1.el8

commons-text-1.9.jar is not secure anymore according to

Expected outcome:
candlepin using commons-text-1.10.jar or later
Foreman and Proxy versions:
foreman 3.4.0 / Katello 4.2.3

Distribution and version:
CentOS-8/ Rocky-8 /

Hi Andre,

I put it onto to get clarification. I currently assume that candlepin sufficiently sanitizes input into Apache Commons Text library, making it less vulnerable (see also Red Hat Satellite on the list of affected Packages: Red Hat Customer Portal - Access to 24x7 support and knowledge).

I’ll post here, if I here anything different.


hi @m-bucher,
Do you know if there are any updates about this issue?

Kind regards,

The library is a dependency of a dependency of Candlepin.

From what I know the Candlepin-team aims to update the dependency for next release. Whether they will also backport it to stable foreman/katello-versions, I have no information.

As far as I see they already have merged the fix (or better the dependency upgrade) into master:

1 Like

Good day,

Thanks for answering my last questions.
I just updated foreman to 3.5 .1 and katello to 4.7.
I do see that candlepin in the repo still is on 4.2.3-1. (makes me a little sad)
I guess that removing commons-text-1.9.jar will destroy the running config.
I think I’ll try to replace commons-text-1.9 with 1.10 to avoid security issues.
(the security team really want that 1.9 gone).
Or would you try to fix this another way?

Kind regards,

I think I’ll try to replace commons-text-1.9 with 1.10 to avoid security issues.

I guess that is the best strategy for now. I have not tested it myself, but as long as the interfaces have not changed, it should be fine. :crossed_fingers:

1 Like

Hello, I am also under pressure of the security department,

in case of replacing of the commons-text-1.9.jar (or commons-text-1.8.jar in my case), is it sufficient to download from and then put commons-text-1.10.jar to /var/lib/tomcat/webapps/candlepin/WEB-INF/lib/ directory and remove the /var/lib/tomcat/webapps/candlepin/WEB-INF/lib/commons-text-1.8.jar ?

Thank you


What I just did, (some minutes ago)
put the commons-text-1.10.jar in that folder (changed permissions to tomcat:tomcat)
set the 1.9 to my homefolder, and rebooted. (just to be sure).
Everything still seems to work.


Hello vanginkel,

What do you mean by: “set the 1.9 to my homefolder”?

Many thanks

Hi, I think he means he makes backup of this file into his homefolder. Anyway as far as I know there is already a fix for this issue in the katello 4.7.3

I indeed copied it to my homefolder, as a backup in case it would break katello stuff.