Security issue with commons-text provided by katello candlepin = 4.2.3-1.el8

vanginkel · October 25, 2022, 12:50pm

Problem:
commons-text-1.9.jar is not secure anymore according to
CVE-2022-42889

Expected outcome:
candlepin using commons-text-1.10.jar or later
Foreman and Proxy versions:
foreman 3.4.0 / Katello 4.2.3

Distribution and version:
CentOS-8/ Rocky-8 /

m-bucher · October 27, 2022, 12:05pm

Hi Andre,

I put it onto foreman-security@googlegroups.com to get clarification. I currently assume that candlepin sufficiently sanitizes input into Apache Commons Text library, making it less vulnerable (see also Red Hat Satellite on the list of affected Packages: Red Hat Customer Portal - Access to 24x7 support and knowledge).

I’ll post here, if I here anything different.

vanginkel · November 18, 2022, 3:09pm

hi @m-bucher,
Do you know if there are any updates about this issue?

Kind regards,
Andre

m-bucher · November 18, 2022, 3:21pm

The library is a dependency of a dependency of Candlepin.

From what I know the Candlepin-team aims to update the dependency for next release. Whether they will also backport it to stable foreman/katello-versions, I have no information.

As far as I see they already have merged the fix (or better the dependency upgrade) into master:
https://github.com/candlepin/candlepin/pull/3674

vanginkel · January 11, 2023, 11:14am

Good day,

Thanks for answering my last questions.
I just updated foreman to 3.5 .1 and katello to 4.7.
I do see that candlepin in the repo still is on 4.2.3-1. (makes me a little sad)
I guess that removing commons-text-1.9.jar will destroy the running config.
I think I’ll try to replace commons-text-1.9 with 1.10 to avoid security issues.
(the security team really want that 1.9 gone).
Or would you try to fix this another way?

Kind regards,

m-bucher · January 11, 2023, 12:56pm

I think I’ll try to replace commons-text-1.9 with 1.10 to avoid security issues.

I guess that is the best strategy for now. I have not tested it myself, but as long as the interfaces have not changed, it should be fine.

JendaVodka · January 11, 2023, 1:24pm

Hello, I am also under pressure of the security department,

in case of replacing of the commons-text-1.9.jar (or commons-text-1.8.jar in my case), is it sufficient to download commons-text-1.10.0-bin.zip from https://dlcdn.apache.org/ and then put commons-text-1.10.jar to /var/lib/tomcat/webapps/candlepin/WEB-INF/lib/ directory and remove the /var/lib/tomcat/webapps/candlepin/WEB-INF/lib/commons-text-1.8.jar ?

Thank you

Jan

vanginkel · January 11, 2023, 1:33pm

What I just did, (some minutes ago)
put the commons-text-1.10.jar in that folder (changed permissions to tomcat:tomcat)
set the 1.9 to my homefolder, and rebooted. (just to be sure).
Everything still seems to work.

em-g · March 28, 2023, 4:51pm

Hello vanginkel,

What do you mean by: “set the 1.9 to my homefolder”?

Many thanks

JendaVodka · March 29, 2023, 7:23am

Hi, I think he means he makes backup of this file into his homefolder. Anyway as far as I know there is already a fix for this issue in the katello 4.7.3

vanginkel · March 29, 2023, 9:31am

I indeed copied it to my homefolder, as a backup in case it would break katello stuff.