Layer7 API Management

I'd like to inquire about Apache Commons Text Vulnerability Security.

Hello, @Jaekwang Kim. We are aware of this CVE. However, the gateway's usage of the commons text library is limited to XML escaping functionality and does not use 'commons-text' interpolators for string lookups (vulnerable code), so there is no actual impact on the gateway. At this time, you cannot remove/upgrade the library on your own, because the gateway is making use of its 'StringEscapeUtils' class for XML escaping. This CVE will have to be resolved by Layer7 in a future CR.​

------------------------------
Ben Urbanski
Product Manager, API Gateway
Layer7 API Management
------------------------------

Original Message:
Sent: Oct 20, 2022 02:00 AM
From: Jaekwang Kim
Subject: Apache Commons Text Vulnerability Security

I'd like to inquire about Apache Commons Text Vulnerability Security.

https://nvd.nist.gov/vuln/detail/CVE-2022-42889

https://commons.apache.org/proper/commons-text/security.html 

https://commons.apache.org/proper/commons-text/download_text.cgi 

Vulnerability in Remote Code Execution (CVE-2022-42889)

There is a security vulnerability issue and the ca api gateway 10.1 is using commons-text-1.7.jar.

Will it be resolved if I upgrade to commons-text-1.10.jar?