TIBCO Data Virtualization Resolution and Mitigation for the Apache Commons Text (Text4Shell) Vulnerability
Article ID: KB0071807
Updated On:
| Products | Versions |
|---|---|
| TIBCO Data Virtualization | 8.3.x, 8.4.x, 8.5.x, 8.6 |
Description
TIBCO is aware of the recently announced Apache Commons Text vulnerability (CVE-2022-42889), referred to as “Text4Shell”. For more information about the general TIBCO investigation into this, please refer to TIBCO Public Notice Text4Shell Vulnerability Update.
This article provides additional information on how TIBCO Data Virtualization products in particular are affected.Issue/Introduction
This article contains resolution and mitigation steps for Apache Commons Text vulnerability (CVE-2022-42889) for the TIBCO Data Virtualization product
Environment
All
Resolution
The following versions are now available for download from the TIBCO eDelivery site and the AWS Marketplace (both Windows and Linux versions) . Upgrade to this versions which contains remediation for CVE-2022-42889:
- TIBCO Data Virtualization 8.6.1
- TIBCO Data Virtualization 8.5.5
- Stop the monitor ("bin/composite.sh/bat monitor stop" for server, "bin/bd.sh/bat monitor stop" for Business Directory). Note below steps remain same for TDV Server. Business Directory and Studio.
- Remove the files listed below that exist in <TDV_INSTALL_DIR>/apps/common/lib :
Here are the list of files to delete: htmlunit-cssparser-1.5.0.jar commons-text-1.8.jar commons-net-3.6.jar salvation-2.7.1.jar htmlunit-2.40.0.jar htmlunit-core-js-2.40.0.jar UNIX: a) Open shell b) cd <TDV_INSTALL_DIR>/apps/common/lib c) rm -f htmlunit* commons-text* commons-net* salvation* d) ls htmlunit* commons-text* commons-net* salvation* e) after successfully running the above steps, check if the files are removed $ ls htmlunit* commons-text* commons-net* salvation* ls: cannot access htmlunit*: No such file or directory ls: cannot access commons-text*: No such file or directory ls: cannot access commons-net*: No such file or directory ls: cannot access salvation*: No such file or directory Windows: a) Open cmd.exe b) cd <TDV_INSTALL_DIR>\apps\common\lib c) del /F htmlunit* commons-text* commons-net* salvation* d) dir htmlunit* commons-text* commons-net* salvation* e) after successfully running the above steps , check if the files are removed. Here is an example: D:\TIBCO\TDV Server 8.3.1\apps\common\lib>dir htmlunit* commons-text* commons-net* salvation* Volume in drive D has no label. Volume Serial Number is 3286-D279 Directory of D:\TIBCO\TDV Server 8.3.1\apps\common\lib Directory of D:\TIBCO\TDV Server 8.3.1\apps\common\lib Directory of D:\TIBCO\TDV Server 8.3.1\apps\common\lib Directory of D:\TIBCO\TDV Server 8.3.1\apps\common\lib File Not Found
- Create a new file with name 'files.md5' under "<TDV_INSTALL_DIR>/apps/common/lib/" folder. Add the content below to that file and save it.
d4b7197bf50afc96e2fa2657a339f037 commons-net-3.8.0.jar 4afc9bfa2d31dbf7330c98fcc954b892 commons-text-1.10.0.jar 2a5fa18c10f5e41e3e6d51f4903e1d54 htmlunit-2.66.0.jar c9c82b54ad8af5bd33f014cc8a08f31b htmlunit-core-js-2.66.0.jar 0393efbeb24dca7bec4b2ddab6cbd1bb htmlunit-cssparser-1.12.0.jar 5ced1161fd1f6d77fb3887cbe7dde76c htmlunit-xpath-2.66.0.jar 128540bd72fe46e53c6a0cfe49c1670e salvation2-3.0.1.jar
- Download the following files and place them under <TDV_INSTALL_DIR>/apps/common/lib
UNIX: a) open shell b) cd <TDV_INSTALL_DIR>/apps/common/lib Windows: a) open cmd.exe b) cd <TDV_INSTALL_DIR>\apps\common\lib c) wget https://repo1.maven.org/maven2/net/sourceforge/htmlunit/htmlunit-cssparser/1.12.0/htmlunit-cssparser-1.12.0.jar d) wget https://repo1.maven.org/maven2/net/sourceforge/htmlunit/htmlunit-xpath/2.66.0/htmlunit-xpath-2.66.0.jar e) wget https://repo1.maven.org/maven2/org/apache/commons/commons-text/1.10.0/commons-text-1.10.0.jar f) wget https://repo1.maven.org/maven2/commons-net/commons-net/3.8.0/commons-net-3.8.0.jar g) wget https://repo1.maven.org/maven2/com/shapesecurity/salvation2/3.0.1/salvation2-3.0.1.jar h) wget https://repo1.maven.org/maven2/net/sourceforge/htmlunit/htmlunit/2.66.0/htmlunit-2.66.0.jar i) wget https://repo1.maven.org/maven2/net/sourceforge/htmlunit/htmlunit-core-js/2.66.0/htmlunit-core-js-2.66.0.jar
- If you are unable to download the files in step 4, then get those files from TIBCO eDelivery (TDV 8.6.1 server pack).
- Ensure MD5 checksum of downloaded files match with the MD5 checksum file in step #3
UNIX: a) open shell b) cd <TDV_INSTALL_DIR>/apps/common/lib c) md5sum -c file.md5 d) Output from step c) should look like this $ md5sum -c files.md5 commons-net-3.8.0.jar: OK commons-text-1.10.0.jar: OK htmlunit-2.66.0.jar: OK htmlunit-core-js-2.66.0.jar: OK htmlunit-cssparser-1.12.0.jar: OK htmlunit-xpath-2.66.0.jar: OK salvation2-3.0.1.jar: OK Windows: a) open cmd.exe b) cd <TDV_INSTALL_DIR>\apps\common\lib c) certutil -hashfile commons-net-3.8.0.jar MD5 d) certutil -hashfile commons-text-1.10.0.jar MD5 e) certutil -hashfile htmlunit-2.66.0.jar MD5 f) certutil -hashfile htmlunit-core-js-2.66.0.jar MD5 g) certutil -hashfile htmlunit-cssparser-1.12.0.jar MD5 h) certutil -hashfile htmlunit-xpath-2.66.0.jar MD5 i) certutil -hashfile salvation2-3.0.1.jar MD5 Example output from certutil: D:\TIBCO\TDV Server 8.3.1\apps\common\lib>certutil -hashfile salvation2-3.0.1.jar MD5 MD5 hash of salvation2-3.0.1.jar: 128540bd72fe46e53c6a0cfe49c1670e CertUtil: -hashfile command completed successfully.
-
Start the TDV Server, TDV Business Directory Server, and TDV Studio.
Additional Information
TIBCO Public Notice about Apache Commons Text Vulnerability & JXPath
https://www.tibco.com/support/notices/2022/10/apache-commons-text-vulnerability-jxpath
TIBCO Data Virtualization 8.6.1 Release notes:
https://docs.tibco.com/pub/tdv/8.6.1/TIB_tdv_8.6.1_relnotes.pdf?id=1
TIBCO Data Virtualization 8.5.5 Release notes:
https://docs.tibco.com/pub/tdv/8.5.5/TIB_tdv_8.5.5_relnotes.pdf?id=1
Feedback
Yes
No
Powered by
