Apache Commons-text library vulnerability

Jashan · October 20, 2022, 1:49pm

Must-share information (formatted with Markdown):

which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
Developer Edition Version 8.9.6 (build 50800)
what are you trying to achieve
Our internal security team has found vulnerability with apache-commons-text library. We checked and found SQ is also using that library with version 1.8
So we want to know if we should ignore this or there is a mitigation recommended from SonarQube.
Library was found in below location:

./data/web/deploy/plugins/securityjavafrontend/META-INF/lib/commons-text-1.8.jar
./temp/ce-exploded-plugins/securityjavafrontend/META-INF/lib/commons-text-1.8.jar

Details about vulnerability :
https://nvd.nist.gov/vuln/detail/CVE-2022-42889

ganncamp · October 20, 2022, 5:30pm

Hi,

Please refer to this thread:

Ann

ganncamp · November 18, 2022, 6:43pm

A post was merged into an existing topic: CVE-2022-42889 effect on SonarQube

tsai_nat · November 28, 2022, 3:55am

Hi,

Could I only replace the file from commons-text-1.8.jar to commons-text-1.10.0.jar in /opt/sonarqube-9.6.1.59531/data/web/deploy/plugins/securityjavafrontend/META-INF/lib?

I try it and SonarQube’s service startup successfully, any risk?

ganncamp · November 28, 2022, 12:42pm

Hi @tsai_nat,

Welcome to the community!

As stated in the thread I referred to above,

SonarQube versions aren’t vulnerable to this because it doesn’t use the dependency in a way that would expose it to the vulnerability.

You should not be hacking your SonarQube instance. The risks are unknown but entirely on you.

Ann

tsai_nat · November 29, 2022, 1:59am

Hi,

Thanks for the reply, I understand.

morris_monaco · January 22, 2023, 1:54pm

Hello,
I understand that SonarQube is not vulnerable to CVE-2022-42889, but it is planned a new version with the last commons-text jar ? I’m using 8.9 LTS, and unfortunately our Global security team has stringent policy about vulnarabilities. They expect the software to use non-vulnerable files.
Thanks
Regards

ganncamp · January 23, 2023, 4:29pm

Hi @morris_monaco,

You should consider upgrading to the latest version: 9.8. If you’re an LTS-only shop, then you’ll be pleased to know that 9.9 LTS will be released on 7 Feb.

HTH,
Ann

morris_monaco · January 23, 2023, 8:48pm

Hello Ann
thank you for your tips. The version 9.8 or the next 9.9 LTS will solve the CVE-2022-42889 ? The commons-text jar is the last version ?
I don’t understand why 8.9 LTS it’s not update with the last version of jar commons-text . Normaly LTS meaning that software was supported for issues and bugs.

Thanks
Regards.
Morris

Jade · January 24, 2023, 8:54am

We just upgraded to the latest 9.8 version (EE) and
Our enterprise vulnerability scans still pick up on CVE-2022-42889.
In previous forum discussions it seems that this vulnerability does not affect sonarqube, but we have strict rules that vulnerable files cannot be used. It was also said manual patch is not recommended. In some replies I thought it was implied that the use of these vulnerabile files would be fixed in 9.8 or 9.9. Can I get a confirmation or an update on the progress for this?

Emanuele_Buda · January 24, 2023, 4:22pm

Hello Jade,

Thank you for reaching out.

SQ 9.8 was shipped with commons-text 1.10.0, which patches CVE-2022-42889.
Which scanner did you use? Can you provide more details about your finding (e.g. on what path(s) this vulnerability was found)?

Thank you in advance.