Datacom

 View Only
Back to discussions
Expand all | Collapse all

Datacom/Ideal *NOT* affected by recent Apache Commons Text vulnerability

  • 1.  Datacom/Ideal *NOT* affected by recent Apache Commons Text vulnerability

    Broadcom Employee
    Posted Oct 21, 2022 06:32 PM
    Edited by Lenn Thompson Oct 24, 2022 09:17 AM
    Datacom CADRE members,

    I hope you all have received the Broadcom security vulnerability notification on Apache Commons Text CVE 2022-42889 Interpolations that allow RCE the past two days.

    Here is a link to Broadcom Support's latest published update on this vulnerability:
    https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/Broadcom-Mainframe-Software-Security-Advisory-for-Apache-Commons-Text-CVE-2022-42889-Interpolations-that-allow-RCE/20979
    (The content at this link continues to be updated regularly as new information is available on various Broadcom products that are or may be affected.)

    • The Datacom SQL Performance Analyzer (SQL PA) is the only component in the Datacom/Ideal product family that uses Apache Commons Text 1.4-1.9.
    • We have now determined that the SQL Performance Analyzer does not use the vulnerable code in Apache Commons Text 1.4-1.9.
    • Therefore no immediate acction needs to be taken for sites using the SQL PA.

    As a routine matter, however, we will publish an update to the SQL PA soon, after the newer version of Apache Commons Text (that has been remediated for the vulnerability) is incorporated.  We will plan to notify you here when we have published our update to the SQL PA.

    If by some chance you are not receiving security vulnerability notifications for Broadcom products, we recommend you subscribe to them on the Support website.  Here are the steps to subscribe:

    1.  Sign on to https://support.broadcom.com.
    2. In the upper right corner, to the right of your name, click on the down arrow.
    3. Select Notification Settings.
    4. For each of the following products/components (and others you may want), scroll down in the list or use the Search box (probably faster), and turn on Security Advisories:
          Datacom
          Datacom/DB
          Datacom/AD
          Datacom Server
          Ideal
          IPC
          (and any other Broadcom mainframe products/components you use)

    We want to ensure you are aware of security vulnerabilities when they are found so that you can keep your systems secure.  Subscribing to the notifications is the best way to do that.


    ------------------------------
    Dale Russell
    Product Owner, Datacom Product Family
    Broadcom Software
    ------------------------------