Issue/Introduction

Broadcom security and product engineering teams are reviewing our information technology environment and product portfolio to identify and remediate any potential exposures to the recently disclosed critical vulnerability in applications using the Apache Commons Text library.

CVE-2022-42889 was published in the National Vulnerability Database on 13-October 2022.  More information can be found here (https://nvd.nist.gov/vuln/detail/CVE-2022-42889). The vulnerability is caused with the use of Apache Commons Text 1.5 through 1.9.  

Resolution

Corporate Infrastructure and Services: Broadcom’s Global Technology Organization is conducting software asset reviews to identify any potentially affected applications. Any necessary mitigations, including upgrades to patched versions of the Apache Commons Text library, will be implemented in accordance with vendor recommendations. At this time, we have no indication of compromise related to this vulnerability. 

Broadcom Products: Engineers from our product teams are assessing all software that incorporates use of Apache Commons Text 1.5 through 1.9. More specific information (e.g., information about necessary patches/hotfixes, workarounds, or other required customer actions) is available within the following security advisories from our product divisions, which are regularly updated:

• Agile Operations Security Advisory
• Mainframe Software Security Advisory
• Symantec Security Advisory
• Brocade Security Advisory
• Arcot Security Advisory (Contact technical support or your Customer Success Manager for the latest information regarding this vulnerability)