A new vulnerability in a module used by OL Connect was uncovered two days ago. Our R&D team is currently assessing the risk and potential mitigation measures. We will publish an official statement as soon as the investigation is complete.
Text2shell RCE vulnerability in Apache Common Texts (CVE-2022-42889)
Do you have any indication when the investigation is complete, because our clients are shutting down the PlanetPress servers to mitigate any risk and since it’s a Tier 1 (Primary proces) application, they need to know when they can expect an answer. They can’t run their primary business proces without Planet Press.
Also is there any insight in when there will be a workaround or solution for this problem?
Our R&D team is still assessing the impact, if any. I am hoping to publish an official statement later today.
One thing is already certain: the upcoming OL Connect 2022.2 release will take care of the issue because it uses an updated version of the affected module (ACT 1.10) that is not vulnerable to the exploit.
Breaking news: R&D’s preliminary analysis indicates that the vulnerable class in the Apache Common Text module is not used anywhere in our application. Some additional validation is needed on our side, but things are looking good at this stage. I should have confirmation in the next two hours.
Final verdict: OL Connect is not impacted by the vulnerability.
Read the official statement here.