TIBCO is also aware of CVE-2022-41852, and this issue is under investigation as part of our response to CVE-2022-42889. https://www.tibco.com/support/notices/2022/10/apache-commons-text-vulnerability-jxpath

JXPath Exposure in TIBCO Hawk:  

JXPath is utilized in the TIBCO Hawk WebConsole component which was the primary user interface for TIBCO Hawk version 6.0 and earlier, including version 5.2.  In TIBCO Hawk version 6.1, the WebConsole was superseded by the new REST-based Hawk Console and listed as a Deprecated Feature in the TIBCO Hawk 6.1 Release Notes. 

NOTE:

1. Although deprecated, for backward compatibility the WebConsole was still provided and documented in TIBCO Hawk version 6.2, so customers still using WebConsole with Hawk 6.2 are using the deprecated feature and will need to follow steps to remediate the vulnerability
2. The WebConsole was subsequently removed with the release of TIBCO Operational Intelligence Hawk Redtail 7.0, so we have no impact on TIBCO Operational Intelligence  Hawk Redtail 7.x.

Remediation:  

1. All customers still running TIBCO Hawk version 5.2.0 and version 6.x using the WebConsole should immediately upgrade to version 6.2.1 Hawk Console which is compatible with version 5.2 agents.
2. Customers using both version 5.2 and 6.2.x should remove the WebConsole and JXPath libraries from all installed systems by deleting files:

TIBCO_HOME/hawk/<version>/webconsole/hawkwebconsole.war

3. The WebConsole component will be removed in the next Hawk 6.2.x release 

Please contact TIBCO Support with any questions.