Rapid7’s Impact from Apache Commons Text Vulnerability (CVE-2022-42889)

As stated in our Apache Commons Text blog post, CVE-2022-42889 is a vulnerability in the popular Apache Commons Text library that can result in code execution when processing malicious input, and affects versions 1.5 through 1.9. This vulnerability has been patched as of Commons Text version 1.10.

As part of standard due diligence, Rapid7 evaluates the potential impact of vulnerabilities in its products. This process includes validating the existence of the vulnerable libraries or services, interdependencies, the exploitability of the vulnerability in a given context, and impacts related to applying available patches.

Rapid7’s Nexpose console and InsightVM products were confirmed to include a vulnerable version of Apache Commons Text (commons-text.1.6.jar). While Rapid7’s assessment found no paths to exploit for this vulnerability, we remediated CVE-2022-42889 in the Security Console and Scan Engine by upgrading the Apache Commons Text component (release version 6.6.169). Please see our release notes for more information.