Skip to main content
Hitachi Vantara Knowledge

"Text4Shell" - Remote Code Execution Vulnerability in Apache Commons Text Library

Priority: High

Status: In Progress- Undergoing Analysis

 

First Published: 31 October 2022

Advisory Version: 1.2

References: CVE-2022-42889

 

Summary

A remote code execution vulnerability was recently discovered in the open-source Apache Commons Text library, affecting versions 1.5 to 1.9 inclusive. Interpolator usage in these affected versions could allow an attacker using malicious input to execute arbitrary code. This vulnerability is fixed in Apache Commons Text v1.10.0, in which the involved interpolators are disabled by default.

Affected Products

Vulnerable Products

Hitachi Vantara is currently investigating its product lines to determine if any are affected by this vulnerability. If any products or solutions are found to be impacted, they will be indicated in this section, in subsequent updates to this advisory, along with information regarding mitigations or fixed release versions (if such information is available at the time). Likewise, any products or solutions that have been confirmed not to be affected by the given vulnerability will be listed in the section below.

NOTE: If cited, product documentation, including product-specific Alerts and Technical Bulletins, are available to Hitachi Vantara customers logged into Support Connect.

Product Notes / Fixed Release Version
Content Products
Content Intelligence Certain HCI components use the Apache Commons Text version 1.6. This will be addressed in HCI v2.2.1

 

 

Products Confirmed Not Vulnerable

* As this is an ongoing investigation across all Hitachi Vantara product lines, please note that products may be reclassified as vulnerable as they continue to be evaluated for risk.

Product Notes / Fixed Release Version
Storage Systems
Hitachi Virtual Storage Platform VSP E990, VSP E790, VSP E590 Not affected. Apache Commons Text is not used.
Hitachi Virtual Storage Platform VSP G130, F/G350, VSP F/G370, VSP F/G700, VSP F/G900 Not affected. Apache Commons Text is not used.
Hitachi Virtual Storage Platform VSP G200, VSP F/G/N400, VSP F/G/N600, VSP F/G/N800 Not affected. Apache Commons Text is not used.
Hitachi Virtual Storage Platform VSP 5100,  VSP 5100H,  VSP 5500, VSP 5500H
(VSP 5x00) RAID 900
Not affected. Apache Commons Text is not used.
Hitachi Virtual Storage Platform VSP 5200,  VSP 5200H,  VSP 5600, VSP 5600H
(VSP 5x00) RAID 900
Not affected. Apache Commons Text is not used.
Hitachi Virtual Storage Platform G1000, F/G1500
(VSP F/G1x00) RAID 800
Not affected. Apache Commons Text is not used.
Hitachi Virtual Storage Platform (VSP) RAID 700 Not affected. Apache Commons Text is not used.
Hitachi Unified Storage VM (HUS VM) HM700 Not affected. Apache Commons Text is not used.
Hitachi Adaptable Modular Storage DF800S, DF800M, DF800H (AMS 2x00) Not affected. Apache Commons Text is not used.
Hitachi Unified Storage DF850XS, DF850S, DF850MH (HUS 1x0) Not affected. Apache Commons Text is not used.
Content Products
Content Platform Not affected. Apache Commons Text is not used.
Content Platform S Series Not affected. Apache Commons Text is not used.
Content Platform Gateway Not affected. Apache Commons Text is not used.
HCP for Cloud Scale Not affected. String interpolators are not used. We will still upgrade the version of Apache Commons Text in a future HCP CS release to avoid false positive security scans
Content Platform Anywhere Not affected. Apache Commons Text is not used.
Network Attached Storage  
HNAS 5000 Series Not affected. Apache Commons Text is not used.
HNAS 4000 Series Not affected. Apache Commons Text is not used.
VSP G/F.N NAS Modules Not affected. Apache Commons Text is not used.
SMU Not affected. Apache Commons Text is not used.
Software Products  
Hitachi Remote Ops (HRO) Not affected. Apache Commons Text is not used.
Hitachi Remote Access Control Center (RACC) Not affected. Apache Commons Text is not used.
Hitachi Ops Center
Administrator (formerly HSA)
Not affected. Uses Apache Commons Text, but the function related to the vulnerability is not used
Hitachi Ops Center
Analyzer (Detail View), Analyzer (Probe)
Not affected. Uses Apache Commons Text, but the function related to the vulnerability is not used
Hitachi Ops Center
Analyzer (HIAA), Analyzer (Viewport), Analyzer (RAID Agent)
Not affected. Uses Apache Commons Text, but the vulnerable configuration is not used
Hitachi Ops Center
Automator
Not affected. Apache Commons Text is not used.
Hitachi Device Manager (HDvM)
Agent
Not affected. Apache Commons Text is not used.
Hitachi Tuning Manager (HTnM)
Server and Agent
Not affected. Apache Commons Text is not used.
Hitachi Dynamic Link Manager (HDLM) Not affected. Apache Commons Text is not used.
Hitachi Compute Systems Manager (HCSM) Not affected. Apache Commons Text is not used.
Hitachi Configuration Manager (HCM) Not affected. Uses fixed version of Apache Commons Text
Hitachi Data Instance Director (HDID) / Data Protector Not affected. Apache Commons Text is not used.

 

Recommended Actions

Please continue to check this Security Advisory, as new information will be added to it as it becomes available.

 

If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.

The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.