This security advisory provides customers with an update on how Nedap Identification products and services are affected by the Apache Commons Text vulnerability (CVE-2022-42889).
What is this vulnerability?
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default
How does this vulnerability affect Nedap Identification Systems?
Nedap Identification Systems does not utilize the Apache Commons Text in it's hardware products (e.g. uPASS, TRANSIT, NVITE and ANPR).
Our software services MOOV and SENSIT are also not vulnerable for this issue in the Apache Commons Text
What actions should I take?
- Users of our services do not need to take any action
- We recommend partners who developed integrations with our platform API's, to evaluate their own software for this vulnerability.
Where can I find more information?
Additional information on this vulnerability can be found here:
- Apache Software Foundation: Apache Commons Text
- National Vulnerability Database: CVE-2022-42889