Problem:
commons-text-1.9.jar is not secure anymore according to
CVE-2022-42889
Expected outcome:
candlepin using commons-text-1.10.jar or later
Foreman and Proxy versions:
foreman 3.4.0 / Katello 4.2.3
Distribution and version:
CentOS-8/ Rocky-8 /
Hi Andre,
I put it onto foreman-security@googlegroups.com to get clarification. I currently assume that candlepin sufficiently sanitizes input into Apache Commons Text library, making it less vulnerable (see also Red Hat Satellite on the list of affected Packages: Red Hat Customer Portal - Access to 24x7 support and knowledge).
I’ll post here, if I here anything different.
hi @m-bucher,
Do you know if there are any updates about this issue?
Kind regards,
Andre
The library is a dependency of a dependency of Candlepin.
From what I know the Candlepin-team aims to update the dependency for next release. Whether they will also backport it to stable foreman/katello-versions, I have no information.
As far as I see they already have merged the fix (or better the dependency upgrade) into master:
https://github.com/candlepin/candlepin/pull/3674
Good day,
Thanks for answering my last questions.
I just updated foreman to 3.5 .1 and katello to 4.7.
I do see that candlepin in the repo still is on 4.2.3-1. (makes me a little sad)
I guess that removing commons-text-1.9.jar will destroy the running config.
I think I’ll try to replace commons-text-1.9 with 1.10 to avoid security issues.
(the security team really want that 1.9 gone).
Or would you try to fix this another way?
Kind regards,
I think I’ll try to replace commons-text-1.9 with 1.10 to avoid security issues.
I guess that is the best strategy for now. I have not tested it myself, but as long as the interfaces have not changed, it should be fine. 
Hello, I am also under pressure of the security department,
in case of replacing of the commons-text-1.9.jar (or commons-text-1.8.jar in my case), is it sufficient to download commons-text-1.10.0-bin.zip from https://dlcdn.apache.org/ and then put commons-text-1.10.jar to /var/lib/tomcat/webapps/candlepin/WEB-INF/lib/ directory and remove the /var/lib/tomcat/webapps/candlepin/WEB-INF/lib/commons-text-1.8.jar ?
Thank you
Jan
What I just did, (some minutes ago)
put the commons-text-1.10.jar in that folder (changed permissions to tomcat:tomcat)
set the 1.9 to my homefolder, and rebooted. (just to be sure).
Everything still seems to work.
Hello vanginkel,
What do you mean by: “set the 1.9 to my homefolder”?
Many thanks
Hi, I think he means he makes backup of this file into his homefolder. Anyway as far as I know there is already a fix for this issue in the katello 4.7.3
I indeed copied it to my homefolder, as a backup in case it would break katello stuff.