Apache Commons Text Vulnerability (CVE-2022-42889)

Update from November 8, 2022

The update of the vulnerable Apache Commons Text library was applied to further versions of the following Dynatrace components:

  • Dynatrace SaaS, Dynatrace Managed
    • Updates to Dynatrace SaaS that fix CVE-2022-42889 were applied.
    • Updates for Dynatrace Managed that fix CVE-2022-42889 are available for:
      • Version 1.252: 1.252.190 and higher
      • Version 1.250: 1.250.182 and higher
  • Dynatrace ActiveGate
    • Updates for Dynatrace ActiveGate that fix CVE-2022-42889 are available for:
      • Version 1.251: 1.251.249 and higher
      • Version 1.249: 1.249.243 and higher
  • Dynatrace OneAgent
    • Not affected. Apache Commons Text library is not used.

Update from October 20, 2022

The Dynatrace team has finished analyzing each occurrence of the vulnerable Apache Commons Text library. None of the Dynatrace components are affected. Patching of the library is in progress, please see fix versions below.

  • Dynatrace SaaS, Dynatrace Managed
    • Not affected.
    • Apache Commons Text library is used, but the vulnerable function is not used.
    • Patching of the library is in progress.
    • Fix version: 1.254
  • Dynatrace ActiveGate
    • Not affected.
    • Apache Commons Text library is used, but the vulnerable function is not used.
    • Patching of the library is in progress.
    • Fix version: 1.255
  • Dynatrace OneAgent
    • Not affected.
    • Apache Commons Text library is not used.

Update from October 19, 2022

[Update from 15:00 UTC]

The Dynatrace team has analyzed each occurrence of the vulnerable Apache Commons Text library. None of the Dynatrace components are affected, as the vulnerable function is not used in any instance. Patching of the library is in progress across all Dynatrace components.

  • Dynatrace SaaS, Dynatrace Managed
    • Not affected.
    • Apache Commons Text library is used, but the vulnerable function is not used.
    • Patching of the library is in progress. Fix versions will be provided soon.
  • Dynatrace ActiveGate
    • Not affected.
    • Apache Commons Text library is used, but the vulnerable function is not used.
    • Patching of the library is in progress. Fix versions will be provided soon.
  • Dynatrace OneAgent
    • Not affected.
    • Apache Commons Text library is not used.

[Update from 7:00 UTC]

The Dynatrace team is actively reviewing the recently published Apache Commons Text vulnerability (CVE-2022-42889), aka Text4Shell.

To date, Dynatrace has seen no evidence that this vulnerability has been exploited. Dynatrace Application Security continuously validates that any occurrence of the vulnerable Apache Commons Text library is rapidly detected and remediated on all production systems.

We will continue to assess the situation and provide further status updates on this page.

Notice

This document is provided on an “as is” basis, with no express or implied warranties. Some of the information provided may come from third parties. Your use of the information in the document or materials linked from the document is at your own risk. Dynatrace reserves the right to change or update this document without notice at any time. Dynatrace expects to update this document as new information becomes available.

Get article updates or report security vulnerabilities

Dynatrace takes a proactive approach in communicating security vulnerability information to customers. Learn more about Dynatrace security and our security policy. To report a security issue, email security@dynatrace.com.

RSS feed Report issue