Broadcom Agile Operations Software Security Advisory for Apache Commons Text CVE-2022-42889 Vulnerability

CA Agile Requirements Designer

9 more products

20988

28 October 2022

21 October 2022

OPEN

CRITICAL

9.8

Broadcom Agile Operations Software Security Advisory for Apache Commons Text CVE-2022-42889 Vulnerability

Issued: October 21, 2022

Updated: October 28 2130 UTC, 2022

Broadcom Agile Operations Software is investigating an Apache Commons Text remote code execution vulnerability that was disclosed by the Apache Commons Text team on 2022-10-13.  CVE identifier CVE-2022-42889 has been assigned to this vulnerability, and it has a Critical risk rating.  The Apache Commons Text team addressed this vulnerability in version 1.10.0.  Apache Commons Text versions 1.5 through 1.9 are affected.  In addition to checking this advisory for updates, and checking individual product support pages for updates, you may open a support case.

Risk Rating

CVE: CVE-2022-42889 - Critical
Base CVSS 3.1 Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Agile Requirements Designer (ARD) - https://knowledge.broadcom.com/external/article?articleId=252551
Clarity PPM On Premise - https://knowledge.broadcom.com/external/article?articleId=252493
Clarity PPM SaaS - https://knowledge.broadcom.com/external/article?articleId=252493
Continuous Delivery Director - https://knowledge.broadcom.com/external/article?articleId=252613
Continuous Delivery Director SaaS - https://knowledge.broadcom.com/external/article?articleId=252613
DX Operational Intelligence - https://knowledge.broadcom.com/external/article?articleId=252482
SDM xFlow module - https://knowledge.broadcom.com/external/article?articleId=252467
Service Virtualization (DevTest) - https://knowledge.broadcom.com/external/article?articleId=252557
Test Data Manager (TDM) - https://knowledge.broadcom.com/external/article?articleId=252558

Products Under Investigation

App Synthetic Monitor (ASM) - https://knowledge.broadcom.com/external/article?articleId=252503
DX NetOps CABI - https://knowledge.broadcom.com/external/article?articleId=252335

Non-Affected Products that include Apache Commons Text

Application Performance Management (APM) - https://knowledge.broadcom.com/external/article?articleId=252479
Application Performance Management SaaS (APM) - https://knowledge.broadcom.com/external/article?articleId=252479
AppNeta - https://knowledge.broadcom.com/external/article?articleId=252887
Automic Applications Manager (AM) - https://knowledge.broadcom.com/external/article?articleId=252463
Automic Continuous Delivery Automation - https://knowledge.broadcom.com/external/article?articleId=252447
Automic One Automation - https://knowledge.broadcom.com/external/article?articleId=252447
Automic Workload Automation - https://knowledge.broadcom.com/external/article?articleId=252447
Autosys Workload Automation - https://knowledge.broadcom.com/external/article?articleId=252472
DX Application Performance Management - https://knowledge.broadcom.com/external/article?articleId=252479
DX APM SaaS - https://knowledge.broadcom.com/external/article?articleId=252479
DX NetOps Network Flow Analysis (NFA) – https://knowledge.broadcom.com/external/article?articleId=252335
DX NetOps Spectrum - https://knowledge.broadcom.com/external/article?articleId=252335
Harvest Software Change Manager - https://knowledge.broadcom.com/external/article?articleId=252468
Spectrum - https://knowledge.broadcom.com/external/article?articleId=252335
Unified Infrastructure Management (Nimsoft / UIM) - https://knowledge.broadcom.com/external/article?articleId=252458
Workload Automation AE - https://knowledge.broadcom.com/external/article?articleId=252472
Workload Automation AE - System Agent (AutoSys) - https://knowledge.broadcom.com/external/article?articleId=252472
Workload Automation iXP - https://knowledge.broadcom.com/external/article?articleId=252472

Non-Affected Products that do not include Apache Commons Text

2E - https://knowledge.broadcom.com/external/article?articleId=252468
Application Delivery Analysis - https://knowledge.broadcom.com/external/article?articleId=253123
App Experience Analytics (AXA) - https://knowledge.broadcom.com/external/article?articleId=252480
Application Experience Analytics SaaS (AXA) - https://knowledge.broadcom.com/external/article?articleId=252480
Automic Automation Intelligence - https://knowledge.broadcom.com/external/article?articleId=252455
Business Service Insight - https://knowledge.broadcom.com/external/article?articleId=252467
Capacity Manager
CAPKI
Client Automation - https://knowledge.broadcom.com/external/article?articleId=252501
Configuration Automation - https://knowledge.broadcom.com/external/article?articleId=252499
Dollar Universe
DX NetOps Mediation Manager (CAMM) - https://knowledge.broadcom.com/external/article?articleId=252335
DX NetOps OI Connector - https://knowledge.broadcom.com/external/article?articleId=252335
DX NetOps Performance Management (PM) - https://knowledge.broadcom.com/external/article?articleId=252335
DX NetOps Virtual Network Assurance (VNA) - https://knowledge.broadcom.com/external/article?articleId=252335
EEM
IT Asset Manager (ITAM) - https://knowledge.broadcom.com/external/article?articleId=252467
IT Process Automation (ITPAM) - https://knowledge.broadcom.com/external/article?articleId=252467
Mediation Manager (CAMM) - https://knowledge.broadcom.com/external/article?articleId=252335
Mobile Device Manager
NIM
Nolio Release Automation - https://knowledge.broadcom.com/external/article?articleId=252608
Performance Management (PM) - https://knowledge.broadcom.com/external/article?articleId=252335
Plex - https://knowledge.broadcom.com/external/article?articleId=252468
Rally Adapter for Jira - https://knowledge.broadcom.com/external/article?articleId=252502
Rally On Premise - https://knowledge.broadcom.com/external/article?articleId=252502
Rally Perpetual Hosted - https://knowledge.broadcom.com/external/article?articleId=252502
Rally SaaS - https://knowledge.broadcom.com/external/article?articleId=252502
Release Automation - DataManagement Server (Nolio) - https://knowledge.broadcom.com/external/article?articleId=252608
Release Automation - Release Operations Center (Nolio) - https://knowledge.broadcom.com/external/article?articleId=252608
Service Catalog - https://knowledge.broadcom.com/external/article?articleId=252467
Service Desk Manager - https://knowledge.broadcom.com/external/article?articleId=252467
Service Management - Asset Portfolio Management - https://knowledge.broadcom.com/external/article?articleId=252467
Service Operations Insight (SOI) - https://knowledge.broadcom.com/external/article?articleId=252538
System Performance for IM
SystemEDGE
Virtual Assurance for IM
Virtual Network Assurance (VNA) - https://knowledge.broadcom.com/external/article?articleId=252335
Workload Automation Agent - https://knowledge.broadcom.com/external/article?articleId=252570
Workload Automation DE - Scheduler (dSeries) - https://knowledge.broadcom.com/external/article?articleId=252540
Workload Automation DE - System Agent (dSeries) - https://knowledge.broadcom.com/external/article?articleId=252540

References

Broadcom main landing page for CVE-2022-42889: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/CriticalAlerts/0/20991
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42889
Apache Commons Text: https://commons.apache.org/proper/commons-text/security.html
GHSL-2022-018: Arbitrary Code Execution in Apache Commons Text - CVE-2022-42889 (Security Researcher Advisory) - https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/

Change History

Version 1.0: 2022-10-21 - Initial Release
Version 1.1: 2022-10-25 0615 UTC - Added all products with available status
Version 1.2: 2022-10-25 1545 UTC - Moved AppNeta from Affected to Not Affected
Version 1.3: 2022-10-27 0100 UTC - Moved DOI to Affected; moved SCM from Non-Affected w/o ACT to Non-Affected w/ ACT; changed AppNeta KB url.
Version 1.4: 2022-10-27 1930 UTC - Moved SM-APM from Affected to Non-Affected.
Version 1.5: 2022-10-28 2130 UTC - Added Application Delivery Analysis KB url.

Broadcom Software customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Customers who require additional information about this notice may contact Broadcom Software Support at https://support.broadcom.com/.

Copyright © 2022 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.