In the last few days two new potentially high profile vulnerabilities have come forth from OpenSSL & Apache.
We are currently using Apache Ignite 2.13 and would like to understand if there is known exposure to the vulnerabilities noted below: 1. The OpenSSL set of libraries has a pending release of a critical vulnerability <https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html>. OpenSSL Details: On Oct 25, 2022 one of the main contributors to the OpenSSL project released a statement that a CVE is to be released for OpenSSL 3.x branch on Tuesday Nov 1, 2022. Currently, details are not released about the vulnerability, due to embargo giving people time to patch, but it is currently listed as a critical vulnerability. Previously critical vulnerabilities have leaked memory as well as encryption keys, because of this it is recommended that all libraries be upgraded to 3.0.7 (currently unreleased, will be released Nov 1) for groups utilizing the 3.x branch. As per the development team, users using 1.1.1s are currently unaffected by this vulnerability. 1. The Apache Commons Text Libraries have uncovered and released a fix for a critical issue. The attack vector for this attack is not fully understood, and more patches are coming out. Apache Commons Text Details - CVE-2022-42889 <https://nvd.nist.gov/vuln/detail/CVE-2022-42889> On Oct 13th, 2022 a vulnerability was published in the Apache Commons Text library. The vulnerability is related to the use of interpolated strings that allow for the execution of arbitrary code by an attacker. Any string that utilizes the library for the interpolation of strings is vulnerable to the attack. The fix that was supplied by the Apache Software Foundation addresses the remote code execution vulnerability, however doesn’t address a secondary attack vulnerability that allows for arbitrary file access by the attacker. Teams are recommended to upgrade all instances of the library to 1.10, with the expectation that they will upgrade to 1.11 as soon as it is made available. Thanks, Raymond. -- <http://www.trimble.com/> Raymond Wilson Trimble Distinguished Engineer, Civil Construction Software (CCS) 11 Birmingham Drive | Christchurch, New Zealand raymond_wil...@trimble.com <https://worksos.trimble.com/?utm_source=Trimble&utm_medium=emailsign&utm_campaign=Launch>