Summary & Key Actions Required

Following our investigations, we have concluded that this component is NOT exploitable in its current configuration within Avantra software.

At present we are continuing to analyze CVE-2022-42889 which we became aware of on the 17th of October 2022 and currently has a CVSS score of 9.8 and impacts the software component "Apache Commons Text". We will update this article as more information becomes available and will highlight if our recommendations or plans change.

The vulnerability affects versions 1.5 to 1.9 (inclusive) of the Apache Commons Text component and we can confirm that version 1.9 of this component is present in the current versions of Avantra Agent (up to and including 23.0.0).

Key Actions Required

• For the majority of customers, no action is required

• We do not believe that this component is exploitable in its current configuration within Avantra software however customers that are concerned about this CVE should upgrade to Avantra 23.0.1 or higher

• Update Avantra to 23.0.1 or higher to use a later version of the affected third party dependency.

Related security articles:

• Avantra Hardening Guide

CVE-2022-42889 Summary

Please see this article for more information:

https://nvd.nist.gov/vuln/detail/CVE-2022-42889

Impact to Avantra

We are completing our investigations and analysis around this CVE and will update this article if any more information is available. At present, we do not believe that this component is exploitable in its current configuration within Avantra software.

Impact on our customers

At present, there is limited impact on Avantra customers. For customers that are concerned, please update to Avantra 23.0.1 or higher.

Change Log

We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.