Summary 

A critical vulnerability potentially allowing remote code execution in Apache Commons Text impacting versions 1.5 through 1.9 has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2022-42889,  and is also commonly referred to as “Text4Shell”. 

This article provides currently available information about the potential impact of the vulnerability on Flexera products. 

NOTE: This is an ongoing assessment. Updates will be made to this advisory as further information becomes available.

As had been mentioned within the announcement of the maintainer of Apache Commons Text, while the vulnerability allows remote code execution, the vulnerability requires the use of an insecure configuration of Apache Commons Text. Such configurations are not expected to be common, but Flexera is nevertheless committed to assess its products based on any potential exposure. 

Flexera product assessment

The information on this page reflects: 

• The assessed status of Flexera's SaaS systems. 
• The assessed status of all versions of Flexera's products that are still supported (that is, they have not yet reached their End of Life). Product lifecycle dates can be found at docs.flexera.com/eol/default.htm.

Related information

• National Vulnerability Database CVE definition: CVE-2022-42889 
• Apache Commons Text CVE-2022-42889 Announcement
• Information about CVE-2022-42899 for Revenera products

Change log 

2022-10-24 1:24pm CST: Initial notice posted

2022-10-24 10:45pm CST: Updated assessment status for: CloudScape / Foundation, Cloud Cost Optimization, IT Asset Management and SaaS Management

2022-10-26 7:25pm CST: Updated assessment status for App Portal / App Broker

2022-10-27 7:45am CST: Updated assessment status for AdminStudio