Jaspersoft is aware of the recent vulnerability CVE-2022-42889, a remote code execution flaw in the Apache Common Text library. Apache Commons Text is an open-source library that performs variable interpolation, allowing properties to be dynamically evaluated and expanded. This is a newly discovered flaw that, if successfully exploited, could allow an unauthenticated attacker to take control of a targeted system.

IMPACT: The Apache Commons Text vulnerability CVE-2022-42889 only applies when the StringSubstitutor API is used with untrusted input. In our Talend-based Jaspersoft ETL products, we do not use the StringSubstitutor API directly in any of our on-prem products with untrusted input. We have not found any instance of a third-party dependency that we include with our products that uses StringSubstitutor in an insecure way.

For more details please refer to this page published by our partner Talend:

https://www.talend.com/security/incident-response/#CVE-2022-42889

• CVE-2022-42889
• Maven Repository for Commons Text 1.10.0: https://mvnrepository.com/artifact/org.apache.commons/commons-text/1.10.0
• Apache Security team statement to clarify the impact of CVE-2022-42889: https://blogs.apache.org/security/entry/cve-2022-42889