A major security vulnerability (CVE-2022-42889) has been discovered in Apache Commons Text versions 1.5 through 1.9. Commons Text is a commonly used library for formatting text. This vulnerability is also colloquially known as “Text4Shell” due to the potential for remote code execution. Lucidworks has analyzed the CVE and determined that none of its products are vulnerable, as indicated below.
|Fusion||4.x and lower||Not Vulnerable||N/A|
|Managed Fusion||All||Not Vulnerable||N/A|
|App Studio||All||Not Vulnerable||N/A|
Solr is not vulnerable to CVE-2022-42889. See the Solr Security bulletin for details.
Fusion 5.x Analysis
Fusion 5.x is not vulnerable to CVE-2022-42889, although a security scan run against Fusion 5.x may incorrectly flag the vulnerability as present. This is because the security scan will detect a vulnerable version of Commons Text, however we have confirmed that Fusion does not use the library in such a way that would make it vulnerable to this CVE. If a security scan shows this CVE as present in Fusion 5.x, it can safely be ignored. No mitigation steps are required.
Fusion 4.x and Lower Analysis
Fusion 4.x and lower use Commons Text v1.4 or lower, and is not impacted by CVE-2022-42889.
App Studio Analysis
App Studio uses Commons Text v1.3, and is not impacted by CVE-2022-42889.