Is xMatters impacted by the recently announced vulnerability with the Apache commons-text library?
The Support and Engineering teams conducted an investigation of this vulnerability, and have confirmed that the implementation outlined in the notice is not present in xMatters.
This vulnerability does not impact the xMatters service.
On October 13, 2022, Apache disclosed CVE-2022-42889, a vulnerability involving specific implementations of the Apache Commons Text library and its StringSubstituter API where an attacker could gain access to a network or application.
In brief, any software using a version of commons-text prior to 1.10.0 and using the StringSubstitutor API where the inputs were not properly sanitized could be vulnerable. Versions 1.10.0 and later of the commons-text library were not affected, nor were any implementations of the StringSubstitutor API where the inputs were validated and sanitized.
Since the vulnerability was identified, the xMatters Security and Engineering teams have been extensively reviewing and testing all implementations of xMatters that use the commons-text library. The teams have confirmed that there are no instances of the affected versions of commons-text in use that also use the StringSubstitutor API without validating and sanitizing the inputs.
To ensure complete compliance, the Engineering teams will update all versions of commons-text to 1.10 at the earliest available opportunity.
We have a regular cadence of security scans looking for vulnerabilities and take action whenever possible and prudent to harden our software and services. Because these scans are constant and ongoing, the teams are able to correct for certain issues well before they become public.
In the interests of security, we will not be releasing a list of the versions and components currently in use. We can, however, confirm that the specific conditions required to perform a successful attack using this exploit are not and were not exposed in xMatters at any time.
The teams are continuing to test and monitor the system, and we will update this article as necessary.