Security Bulletin: IBM Content Navigator is affected by Apache Commons Text due to IBM Content Manager onDemand connector [CVE-2022-42889]

Summary

Apache Commons Text is used by IBM Content Navigator on container as part of the IBM Content Manager onDemand connector. [CVE-2022-42889] The vulnerability has been addressed.

Vulnerability Details

CVEID:CVE-2022-42889
**DESCRIPTION:**Apache Commons Text could allow a remote attacker to execute arbitrary code on the system, caused by an insecure interpolation defaults flaw. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238560 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)|**Version(s)
**
—|—
IBM Content Navigator| 3.0.11
IBM Content Navigator| 3.0.12

Note that this table shows only supported versions of the application as of the date of this bulletin.

Remediation/Fixes

IBM strongly suggests the following:

Affected Product(s)

| Version(s)|Remediation/Fix/Instructions
—|—|—
IBM Content Navigator| 3.0.13| Download 3.0.13 and follow instructions
IBM Content Navigator| 3.0.12 IF004| Download 3.0.12 IF004 and follow instructions
IBM Content Navigator| 3.0.11 IF007| Download 3.0.11 IF007 and follow instructions

Workarounds and Mitigations

IBM Content Navigator customers who do not use IBM Content Manager onDemand are neither affected nor vulnerable to this security vulnerability.

IBM Content Navigator customers who do use IBM Content Manager onDemand should disable full-text search

Disabling full-text search will avoid calling the vulnerable method.