Rapid7’s Impact from Apache Commons Text Vulnerability (CVE-2022-42889)

As stated in our Apache Commons Text blog post, CVE-2022-42889 is a vulnerability in the popular Apache Commons Text library that can result in code execution when processing malicious input, and affects versions 1.5 through 1.9. This vulnerability has been patched as of Commons Text version 1.10.

As part of standard due diligence, Rapid7 evaluates the potential impact of vulnerabilities in its products. This process includes validating the existence of the vulnerable libraries or services, interdependencies, the exploitability of the vulnerability in a given context, and impacts related to applying available patches.

Rapid7’s Nexpose console and InsightVM products are confirmed to currently include commons-text.1.6.jar (as of the date of this post). This library is not directly used within the scan engine, but has a shared dependency within the security console. While Rapid7’s assessment has found no paths to exploit for this vulnerability, we do plan to patch this vulnerability in Nexpose and InsightVM during the month of November 2022.