Iptor response to Apache Common text vulnerability (CVE-2022-42889)

Last updated 28th October 2022


Update 2022-10-28

Apache common text vulnerability update.

Iptor Product Development have now published a new version of XTUI, called 4.5.1.6.

The Apache common text library have been replaced with version 1.10.

Please contact your primary contact or Iptor support if you would like to have the new version installed.

In parallel with the development of our own new version we have also asked our partners about their software.
Currently I have this list of Iptor partner software.

All answers are based on each partner latest version of software unless stated otherwise.


Partner   Apache vulnerability impact
Qlik   Waiting for answer
Adobe   AEM 6.5 is not impacted
Interform   Latest version is not impacted
Corzia   Latest version is not impacted
Medius   AP & Capture modules are not impacted
Nextway   Latest version is not impacted
NiFi   Impacted, they are working on an update
Xtellus   Waiting for answer

If you have any more questions on our partner software related to this vulnerability, please contact Iptor support.

Update 2022-10-24

Apache Common Text vulnerability update.

The mitigation action plan is now ready.

The PDF can be downloaded here.

Mind that the instruction is for XTUI version 4.5.x and not for older versions.

Iptor recommendation is to always run on the latest version.

If you have any questions on how to follow the instructions, please reach out to Iptor support.

Update 2022-10-21

Apache Common text vulnerability update

The work with a mitigation action plan is progressing. We still think it should be available on Monday. It may be that we need all of Monday to test but I am confident that it should be available on Monday.

New version of XT.

We now have confirmation from our PD that a new version, where the common text vulnerability is removed, will be available in the next week.

Keep an eye on this page to see when it will be released.

I have had a few questions about older versions of XT.

Clarification on the subject is that Iptor will only create a mitigation action plan for the currently latest version, 4.5.

Older versions should have been upgraded as they are vulnerable due to the age of the version.

Iptor’s recommendation is to always upgrade to the latest version.

There have also been some questions about Web interface to XT.

The vulnerability is on the installation of XT. Using web interface means the vulnerability resides on the server running XT and must be managed there.

If you use the web interface, this means that you need to look at the access rules to determine the security risk to your organization.

The XT application gives you several different options for how to access the application and Iptor will release a new version where this vulnerability has been removed, regardless of how you use XT. The Risk assessments must be made for each environment and taking into account how access to XT is structured and what protections are in place for that access.

Update 2022-10-20

Apache Common text vulnerability update

The Iptor teams have been working hard on mitigation action plans and delivery of new XT version.

The mitigation action plan is expected to be tested and verified this week and will be available to customers on Monday.

The new version of XT is still in planning phase and an expected delivery date will be announced very soon.

Iptor has also secured the application XT under the platforms Iptor.com and Iptor 1

The Apache Common Text vulnerability has during  the last 2-3 days been discussed in various forums and Iptor has updated the security risk in the situation.

The vulnerability is about possible code injection and through that gain access to a server. If this is exploited, the attacker can then move latterly in the infrastructure and potentially gain access to the entire enterprise environment.

The vulnerability is still rated Critical, 9,8, but the security risk is also about the possibility of this being used in a malicious way.

Instruction on how to use this vulnerability are open on the Internet and it does not require advanced hacking skills.

At the same time, the hacker must have access to where the application is installed and also knowledge of how the application uses the Apache common text library.

This means that if the vulnerable application you have in your environment is for internal use only and behind Firewall, EDR, IPS and IDS protection, the attacker must first get through those defences before he can exploit this vulnerability.

In that scenario, the security risk is lower than if the application you have is exposed to the internet and anyone will be able to take advantage of this vulnerability.

The overall Security Risk must be assessed by each organization themselves and all actions must to be aligned with the Security risk that result from each assessment.

Iptor recommendation is to ensure that the vulnerability is first blocked or mitigated by standard security measures such as Firewalls, EDR, IPS and IDS.

Second we recommend removing the vulnerable part of the application if possible. For Iptor XTUI, we will deliver a mitigation action plan on Monday.

The most secure way is to upgrade and always run the latest version. For XTUI we will shortly deliver a date when a new version of XT will be available where the Apache vulnerability is not present.

Update 2022-10-19

Iptor response to Apache Common text vulnerability (CVE-2022-42889)

A new vulnerability has been found in the Apache Common text java library.
This vulnerability allows remote code execution by unauthorized users.
Iptor has a limited number of products using java code. This vulnerable java library is only used in our user interface application XT:
So far, no other products have been identified to be containing this vulnerability, but we continue to scan and verify all versions of all our java-based applications, we have a team working hard to find ways to mitigate this vulnerability alongside the development of a new version of XT that will have a verified secure version of the vulnerable Java library.
News about the progress will be posted on this webpage.

Please do not log an incident about this as we are aware of the vulnerability and have no solution now.

As soon as a mitigation plan is verified, we will reach out to all of you that we are aware of running XT to share the information. You will also find such a mitigation plan on this webpage.

As soon as a new version of XT is available, we recommend that you upgrade your current version to the latest.

If you have questions or concerns about this matter, please contact [email protected] or your account manager. Iptor takes security and reliability as top priorities for our customers.

This page will be updated as new information becomes available.

Share This Entry

SUPPORT LOGIN

Iptor multiflex covers all your day-to-day business processes. Get in touch with us and schedule a free tour — no strings attached. Our team will gladly provide you with a demo and show you how to get started!

Iptor multiflex dekt al uw dagelijkse bedrijfsprocessen. Neem contact met ons op en plan een gratis rondleiding – zonder verplichtingen. Ons team geeft u graag een demo en laat u zien hoe u aan de slag kunt!

Le Iptor multiflex couvre l’ensemble de vos processus commerciaux quotidiens. Prenez contact avec nous et et planifiez une visite gratuite – sans engagement. Notre équipe se fera un plaisir de vous fournir une démonstration et de vous montrer comment commencer !

Nehmen Sie Kontakt mit uns auf und vereinbaren Sie eine kostenlose und unverbindliche Tour. Unser Team wird Ihnen gerne eine Demo zur Verfügung stellen und Ihnen zeigen, wie Sie loslegen können!