myDRE is NOT vulnerable for Text4Shell (CVE-2022-42889)
TL;DR myDRE is NOT vulnerable for Text4Shell (CVE-2022-42889).
The National Cyber Security Center (NCSC) has announced that a vulnerability with impact High/High (CVE-2022-42889) has been identified in Apache Commons Text v1.5-v1.9. It is being expected that this will gain media attention as a public exploit code has become available that shows how to abuse this vulnerability that gives attackers a way of running malicious code remotely on vulnerable systems. It has also been linked to the Apache Log4J (Log4Shell) vulnerability earlier this year (myDRE is NOT vulnerable for CVE-2021-4428 - Apache Log4J2) and has been dubbed Text4Shell.
However, according to the NCSC the attack surface for Text4Shell is more limited due to Apache Commons Text being used for rather specific applications.
myDRE does NOT use Apache Commons Text.
Read more about the official Text4Shell announcement here (Dutch): https://www.digitaltrustcenter.nl/nieuws/kwetsbaarheid-in-apache-commons-text.
Or a more elaborate article here (English): https://www.darkreading.com/application-security/apache-commons-vulnerability-patch-but-dont-panic.
Related Articles
myDRE is NOT vulnerable for CVE-2022-26809
Last “patch Tuesday” Microsoft disclosed and fixed a large number of serious vulnerabilities in Microsoft Windows. One of these vulnerabilities is identified as CVE-2022-26809 with a CVSS score of 9.8 (scale 1-10). myDRE is NOT vulnerable for ...myDRE NOT vulnerable for CVE-2021-4428 - Apache Log4J2
anDREa does not use Apache Log4J2 nor forks in production. update: 2021/12/13 Workspaces that might have installed Log4J2 on their VM(s), Windows or Linux, are not vulnerable for no Workspace is allowed to have inbound access. Read more ...myDRE is NOT vulnerable for CVE-2022-26809 - Serious Vulnerabilities in Microsoft Windows Workplaces and Servers
Situation Last “patch Tuesday” Microsoft disclosed and fixed a large number of serious vulnerabilities in Microsoft Windows. One of these vulnerabilities is identified as CVE-2022-26809 with a CVSS score of 9.8 (scale 1-10). CVE-2022-26809 is a ...Vulnerability in Apache Log4j (CVE-2021-44228)
Background See: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 Impact on anDREa and all its services Production anDREa does not use Log4J or forks in production. Impact: NONE Actions: no action needed update: 2021/12/13 Workspaces that might have ...Navigating through support.mydre.org
anDREa makes use of ZohoDesk Enterprice version. This enables you to configure the following items. Please read the information about these changes below carefully. Creating tickets for users Users can create new DRE tickets through the ‘Add ticket’ ...