Update on the recent vulnerability in Apache Commons Text library and the impact on ManageEngine on-premise products

Update on the recent vulnerability in Apache Commons Text library and the impact on ManageEngine on-premise products

A critical vulnerability in Apache Commons Text library (CVE-2022-42889) was disclosed publicly on October 18, 2022. The details of this vulnerability is documented by Apache here.
 
Apache Commons Text library is bundled and used in the below ManageEngine on-premise products:

Product Name

Release Status

Asset Explorer

Released in v6982

ServiceDesk Plus

Released in v14003

ServiceDesk Plus MSP

Released in v13001

Password Manager Pro

Released in v12122

PAM360

Released in v5711

Access Manager Plus

Released in v4306

Endpoint Central

Released in v11.1.2238.5/10.1.2228.10/10.1.2220.16

Endpoint Central MSP

Released in v11.1.2238.5/10.1.2220.16

Remote Monitoring and Management (RMM)

Released in v10.1.41

Patch Manager Plus

Released in v11.1.2238.5/10.1.2228.10

Patch Connect Plus

Released in v90112

Vulnerability Manager Plus

Released in v11.1.2238.5/10.1.2228.10

Application Control Plus

Released in v11.1.2238.5/10.1.2228.10

Device Control Plus

Released in v11.1.2238.5/10.1.2228.10

Endpoint DLP

Released in v10.1.2137.05

OS Deployer

Released in v1.1.2242.1

Remote Access Plus

Released in v10.1.2228.10

Browser Security Plus

Released in v11.1.2238.6

Mobile Device Manager Plus

Released in v10.1.2209.6/10.1.2207.9


Please note that we have not identified any usage of the Commons Text library that is exploitable and the investigation is still in progress.

 

Although the Apache Commons Text library is available in all ManageEngine on-premise solutions, it is only used in the products listed above. These unused components will be removed from later editions of those products.

 

We will update this post as new details become available. Please contact security@manageengine.com for any more information or help.

                  New to ADSelfService Plus?