2022-11 Security update

How Can We Help?

2022-11 Security update

← All Topics

Our commitment to Security and Privacy

Labforward is committed to achieving and maintaining the trust of our customers. Integral to this mission is that we always strive to provide robust security procedures and strictly adhere to the GDPR and our Privacy Policy. You can refer to our policy regarding security update disclosures here.

Summary

Labforward released a security update for Labfolder and Labregister. This patch contains updates to the open-source Apache Commons Text library as recommended by the Apache Software Foundation. Applying this patch mitigates the vulnerability documented in: CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input.

Timeline of issue handling

  • October 13th 2022
    • Initial vulnerability report disclosed by the Apache Software Foundation CVE-2022-42889
  • October 18th 2022
    • Automated OWASP Vulnerability Check failed in CI environment due to inclusion of the commons-text library v1.9
    • CVE-2022-42889 escalated internally and immediately investigated by members of the engineering team.
    • External classification of the vulnerability is Base CVSS Score: 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Investigation confirmed the affected Methods are not used in our application, therefore no immediate action was required.
    • Internal classification of Severity = Low and Exploitability = Exploitation Unlikely.
    • Application dependencies were updated to use commons-text v1.10 as recommended by the Apache Foundation and scheduled for release to customers as part of the standard software development lifecycle
  • October 26, 2022
    • Regularly scheduled release v2.18.7 upgrading commons-text to v1.10.0 released to our Cloud server.
    • Hotfix release v2.18.8 upgrading commons-text to v1.10.0 was published to our on-premises customers
  • November 17, 2022
    • Publication of this security update to our security center.

Severity = What is the worst theoretical outcome?

Rating Description
Low Impact of the vulnerability is comprehensively mitigated by the characteristics of the affected component or other factors, in this case that the affected software API is not used in the application.

Exploitability = What is the likelihood that a vulnerability addressed in a security update will be exploited?

Rating Description
Exploitation Unlikely Labforward analysis shows that successfully functioning exploit code is unlikely to be utilized in real attacks. This means that while it might be possible for exploit code to be released that could trigger the vulnerability and cause abnormal behavior, the full impact of exploitation will be more limited. Moreover, Labforward has not observed instances of this type of vulnerability being actively exploited in the past. Thus, the actual risk of being exploited from this vulnerability is significantly lower. Therefore, customers who have reviewed the security update to determine its applicability within their environment could prioritize this update below other vulnerabilities within a release.

General Recommendations

  • All users should always use the latest version of our recommended browsers (Chrome, Firefox, Edge and Safari). In addition, make sure to always update your operating system to the latest version, and have antivirus software in place to protect your devices and data.
  • IT admins of our On-Premises customers should update their systems as quickly as practical, especially when a new release includes a security patch.
  • IT admins of our On-Premises customers should keep the operating system and all components (i.e. Docker) of their on-prem servers up to date.
  • While our classification system is intended to provide a broadly objective assessment of each issue, we strongly encourage customers to evaluate their own environments and make decisions about which updates are required to protect their systems.
Tags: