Currently evaluating Katalon Studio with 8.4.0 on Ubuntu. Just got an alert about the new Apache Commons Text vulnerability and checked – looks like KatStu is using 1.6.0.
Is there a forthcoming update that will mitigate this? Or will we need to take steps on our own?
Hi @bneville,
The vulnerability you are asking may relate to the vulnerability below:
-
CVE identifier: CVE-2022-42889
-
Published date: 13/10/2022
-
Affected software: Apache Commons Text
-
CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)
-
Affected versions:
-
Exploitation requirements:
- The application accepts user-controlled input that is subsequently processed by one of the following methods of the affected component:
- StringLookupFactory.INSTANCE.interpolatorStringLookup().lookup()
- StringSubstitutor.createInterpolator().replace()
- Java versions equal or greater than Java 15 would not be susceptible to remote code execution, since the Nashorn engine is disabled and the “script” prefix would not be available. However, other attacks via the “url” and “dns” prefixes would be possible
-
Affected on Katalon Studio
Katalon Studio v7.x - v8.x uses Apache Commons text v1.6 but we don’t use the above affected method directly so Katalon Studio is not affected by the Text4Shell.
If you still concern about the issue, we will release v8.5.5 on Dec 6th (tentatively) with Apache Common Text upgrade to v1.1.0.0