CVE-2022-42889 effect on SonarQube

We are using Sonarqube 8.9.6 version, is this version affected with CVE-2022-42889

Hello,

I upgraded the SQ server to version 9.7 today and scanned the system for the CVE but still found a possible vulnerability:

[2022-10-21 07:48:05.766095] VULNERABLE: sonarqube-9.7.0.61563\data\web\deploy\plugins\securityjavafrontend\META-INF\lib\commons-text-1.8.jar [f2243d67b348e7175f55902cdb7e54af: commons-text-1.8]
[2022-10-21 07:48:21.328839] VULNERABLE: sonarqube-9.7.0.61563\temp\ce-exploded-plugins\securityjavafrontend\META-INF\lib\commons-text-1.8.jar [f2243d67b348e7175f55902cdb7e54af: commons-text-1.8]

As far as I can see is securityjavafrontend a bundled plugin within the distributed ZIP file. Am I right and if so, can you assure that my scanner is mistaken or is this plugin indeed using the vulnerable commons-text version?

Thanks in advance.
Regards,

Richard Diederen.

1 Like

Hello ,
I also just updated to the latest patch of 8.9 LTS but still see the same version of library.

@ganncamp As you mentioned above that it shouldnt impact us. Is that the verdict or we need to wait for a new patch.

./sonarqube-8.9.9.56886/data/web/deploy/plugins/securityjavafrontend/META-INF/lib/commons-text-1.8.jar ./sonarqube-8.9.9.56886/temp/ce-exploded-plugins/securityjavafrontend/META-INF/lib/commons-text-1.8.jar

Best Regards
Jashan Sidhu

Hi,
We are using Sonarqube developer edition 8.9.6. Are you planning to update the commons_text dependency version to 1.10.0 and release a patch version for 8.9.6?(Just to be safe) Please confirm.

Thanks,
Muhil

On a related note, your instance may already be vulnerable to other issues because it’s not updated. SonarQube 8.9.6 was released in 2021, the latest LTS version is 8.9.10 .

1 Like

Hey all.

  • SonarQube is not vulnerable to CVE-2022-42889–neither v8.9.10 LTS or v9.7.
  • org.apache.commons.text.StringSubstitutor, the use of which can lead to a vulnerability, is not used in either version.
  • We will in any case update the dependency version (or try to drop it entirely) in future SonarQube versions (starting with v9.8) to suppress the warning. There are no plans at the moment to update v8.9 LTS.

We will keep you posted if anything changes.

3 Likes

Hi Colin,

Could you confirm if that’s a typo on the CVE in your message? Should it be CVE-2022-42889 instead of 32889?

Could you also confirm if 8.9.6 is impacted, I know you mentioned we should update to the latest 8.9.10 LTS but wanted to see if 8.9.6 is vulnerable as well.

Thanks!

Thanks for catching the typo. It was just that.

No version of v8.9 LTS is vulnerable, but you should use the latest patch version to make sure you have the latest security updates.

Hi Colin,

We are using Sonarqube 7.9.4 Community version with below-enabled plugins. Can you please confirm if it is affected by the CVE-2022-42889.

List of enabled plugins:

  • csharp - 8.9
  • checkstyle - 8.38
  • findbugs - 4.0.2
  • scmgit - 1.12
  • jacoco - 1.1.0
  • java - 6.3.2
  • ldap - 2.2
  • PHP - 3.5.0.5655
  • PMD - 3.2.1
  • Python - 2.13
  • cssfamily - 1.2
  • flex - 2.5.1
  • go - 1.6.0
  • SonarHTML - 3.2
  • javascript - 6.2.1
  • kotlin - 1.5.0
  • ruby - 1.5.0
  • sonarscala - 1.5.0
  • typescript - 2.1
  • XML - 2.0.1
  • scmsvn - 1.10
  • vbnet - 8.9
  • plsqlopen - 2.4.0
  • depend - 1.1.1

This version has been EOL for almost two years. You should upgrade to a supported version (8.9.10 or 9.7). We won’t offer any statement on EOL versions of SonarQube which, by their very nature of longer being supported, represent an operational/security risk if you’re still using your one.

Hi…

Im using sonarqube enterprise and was upgrade to latest version 9.7 but vulnerable still exists
/data/sonarqube/data/web/deploy/plugins/securityjavafrontend/META-INF/lib/commons-text-1.8.jar
/data/sonarqube/temp/ce-exploded-plugins/securityjavafrontend/META-INF/lib/commons-text-1.8.jar
May you can give me recommendation to solved this issue ?, is it possible if I replace version by manually ?

Thanks
Andik

Hi Andik,

Welcome to the community!

As I said earlier:

Thus, having the jar does not make SonarQube 9.7 - or other versions - vulnerable. There is no recommendation to “solve the issue” because there is no issue. You should not tamper with the SonarQube distribution, but use it as-is.

 
HTH,
Ann

2 Likes

@ganncamp Ann, it is understandable what you say, however typically security people which do these scans consider the fact that jar files exists automatically a security issue. Also the sonar scanner seems to use sonar-securityjavafrontend-plugin.jar file as well… On the side note, when is the next LTS release coming up ( planned) ? It is mentioned here that some of the fixes may be in the new release of the product, but not necessarily a patch to the LTS version.

Hi,

The next LTS will be out in 2023Q1.

 
HTH,
Ann

Thank you @ganncamp Ann ! :+1:t2:

@ganncamp Any chance this will be in the next 9.7 patch release?

Hi @mkim,

Welcome to the community!

  • We’re not planning another 9.7 patch
  • There’s no “this” to include in it. SonarQube is not affected by CVE-2022-42889

 
Ann

@ganncamp That’s been stated multiple times so I get it, unfortunately this is not acceptable to our security folks so I have to reemphasize the first statement by @EugeneL

Hi,

Fair enough. I’ve pinged internally, but I don’t expect any movement.

 
Ann

When i am executing the sonarqube task in my gradle project .The .sonar folder gets created and inside it i am able to find the commons-text library which is having vulnerability .

/.sonar/cache/80d9311b88f4c25555863d476af6a6be/sonar-findbugs-plugin.jar_unzip/META-INF/lib/commons-text-1.9.jar
/.sonar/cache/3314cd4f9160350d8f07cc8ab42fdc2d/sonar-securityjavafrontend-plugin.jar_unzip/META-INF/lib/commons-text-1.8.jar

Have tried upgrading the sonarqube-gradle-plugin version to 3.3 but no luck .

Can someone please help to resolve the commons-text-1.8 and commons-text-1.9 jar vulnerability problem on urgent basis.
To which sonarqube-gradle-plugin to upgrade ?