CVE-2022-42889 effect on SonarQube

Hi All,
I want to know a small info on whether sonarqube version 9.3 & 9.5 has any affect with CVE-2022-42889

We have verified the source code on github, couldn’t see any library related to org.apache.commons:commons-text so want to get the confirmation on the same.

Sonar version : 9.3 & 9.5

3 Likes

We have SonarQube Developer Edition and we we would also like to know whether SonarQube is vulnerable for CVE-2022-24889. And if so, what versions. Can someone from SonarSource provide a statement?

Hello Sandy7894,Maarten,

Thank you for reaching out to us; we take all customer vulnerability reports very seriously.

None of these SonarQube versions are vulnerable to CVE-2022-42889. However, SQ 9.3 and 9.5 are no longer supported; hence our advice is to update to the last release, 9.7, which of course, is not vulnerable either.

Please let me know if you have any further questions.

Kind regards,
Emanuele

1 Like

Hi there,

I’m using SQ 9.6.1 which does show a common-text dependency:

./data/web/deploy/plugins/securityjavafrontend/META-INF/lib/commons-text-1.8.jar
./temp/ce-exploded-plugins/securityjavafrontend/META-INF/lib/commons-text-1.8.jar

How do you suggest we proceed? Does SQ 9.7 have the latest version of common-text?

Kind regards,
veenjw

1 Like

Hi veenjw,

Welcome to the community!

While it’s important to note that you should always be on the latest version or latest point release of the LTS, SonarQube versions aren’t vulnerable to this because it doesn’t use the dependency in a way that would expose it to the vulnerability.

 
HTH,
Ann

1 Like

Apologies for hijacking this thread but you might need to check for the plugins you have installed, these plugins are not supported here.

The findbugs plugin is not maintained by Sonarsource but bundles commons-text.
Version 4.2.2 of the plugin (released yesterday / October 21st) upgraded to commons-text 1.10

3 Likes

We are using Sonarqube 8.9.6 version, is this version affected with CVE-2022-42889

Hello,

I upgraded the SQ server to version 9.7 today and scanned the system for the CVE but still found a possible vulnerability:

[2022-10-21 07:48:05.766095] VULNERABLE: sonarqube-9.7.0.61563\data\web\deploy\plugins\securityjavafrontend\META-INF\lib\commons-text-1.8.jar [f2243d67b348e7175f55902cdb7e54af: commons-text-1.8]
[2022-10-21 07:48:21.328839] VULNERABLE: sonarqube-9.7.0.61563\temp\ce-exploded-plugins\securityjavafrontend\META-INF\lib\commons-text-1.8.jar [f2243d67b348e7175f55902cdb7e54af: commons-text-1.8]

As far as I can see is securityjavafrontend a bundled plugin within the distributed ZIP file. Am I right and if so, can you assure that my scanner is mistaken or is this plugin indeed using the vulnerable commons-text version?

Thanks in advance.
Regards,

Richard Diederen.

1 Like

Hello ,
I also just updated to the latest patch of 8.9 LTS but still see the same version of library.

@ganncamp As you mentioned above that it shouldnt impact us. Is that the verdict or we need to wait for a new patch.

./sonarqube-8.9.9.56886/data/web/deploy/plugins/securityjavafrontend/META-INF/lib/commons-text-1.8.jar ./sonarqube-8.9.9.56886/temp/ce-exploded-plugins/securityjavafrontend/META-INF/lib/commons-text-1.8.jar

Best Regards
Jashan Sidhu

Hi,
We are using Sonarqube developer edition 8.9.6. Are you planning to update the commons_text dependency version to 1.10.0 and release a patch version for 8.9.6?(Just to be safe) Please confirm.

Thanks,
Muhil

On a related note, your instance may already be vulnerable to other issues because it’s not updated. SonarQube 8.9.6 was released in 2021, the latest LTS version is 8.9.10 .

Hey all.

  • SonarQube is not vulnerable to CVE-2022-42889–neither v8.9.10 LTS or v9.7.
  • org.apache.commons.text.StringSubstitutor, the use of which can lead to a vulnerability, is not used in either version.
  • We will in any case update the dependency version (or try to drop it entirely) in future SonarQube versions (starting with v9.8) to suppress the warning. There are no plans at the moment to update v8.9 LTS.

We will keep you posted if anything changes.

3 Likes

Hi Colin,

Could you confirm if that’s a typo on the CVE in your message? Should it be CVE-2022-42889 instead of 32889?

Could you also confirm if 8.9.6 is impacted, I know you mentioned we should update to the latest 8.9.10 LTS but wanted to see if 8.9.6 is vulnerable as well.

Thanks!

Thanks for catching the typo. It was just that.

No version of v8.9 LTS is vulnerable, but you should use the latest patch version to make sure you have the latest security updates.

Hi Colin,

We are using Sonarqube 7.9.4 Community version with below-enabled plugins. Can you please confirm if it is affected by the CVE-2022-42889.

List of enabled plugins:

  • csharp - 8.9
  • checkstyle - 8.38
  • findbugs - 4.0.2
  • scmgit - 1.12
  • jacoco - 1.1.0
  • java - 6.3.2
  • ldap - 2.2
  • PHP - 3.5.0.5655
  • PMD - 3.2.1
  • Python - 2.13
  • cssfamily - 1.2
  • flex - 2.5.1
  • go - 1.6.0
  • SonarHTML - 3.2
  • javascript - 6.2.1
  • kotlin - 1.5.0
  • ruby - 1.5.0
  • sonarscala - 1.5.0
  • typescript - 2.1
  • XML - 2.0.1
  • scmsvn - 1.10
  • vbnet - 8.9
  • plsqlopen - 2.4.0
  • depend - 1.1.1

This version has been EOL for almost two years. You should upgrade to a supported version (8.9.10 or 9.7). We won’t offer any statement on EOL versions of SonarQube which, by their very nature of longer being supported, represent an operational/security risk if you’re still using your one.

Hi…

Im using sonarqube enterprise and was upgrade to latest version 9.7 but vulnerable still exists
/data/sonarqube/data/web/deploy/plugins/securityjavafrontend/META-INF/lib/commons-text-1.8.jar
/data/sonarqube/temp/ce-exploded-plugins/securityjavafrontend/META-INF/lib/commons-text-1.8.jar
May you can give me recommendation to solved this issue ?, is it possible if I replace version by manually ?

Thanks
Andik

Hi Andik,

Welcome to the community!

As I said earlier:

Thus, having the jar does not make SonarQube 9.7 - or other versions - vulnerable. There is no recommendation to “solve the issue” because there is no issue. You should not tamper with the SonarQube distribution, but use it as-is.

 
HTH,
Ann

2 Likes

@ganncamp Ann, it is understandable what you say, however typically security people which do these scans consider the fact that jar files exists automatically a security issue. Also the sonar scanner seems to use sonar-securityjavafrontend-plugin.jar file as well… On the side note, when is the next LTS release coming up ( planned) ? It is mentioned here that some of the fixes may be in the new release of the product, but not necessarily a patch to the LTS version.

Hi,

The next LTS will be out in 2023Q1.

 
HTH,
Ann