myDRE is NOT vulnerable for Text4Shell (CVE-2022-42889)
TL;DR myDRE is NOT vulnerable for Text4Shell (CVE-2022-42889).
The National Cyber Security Center (NCSC) has announced that a vulnerability with impact High/High (CVE-2022-42889) has been identified in Apache Commons Text v1.5-v1.9. It is being expected that this will gain media attention as a public exploit code has become available that shows how to abuse this vulnerability that gives attackers a way of running malicious code remotely on vulnerable systems. It has also been linked to the Apache Log4J (Log4Shell) vulnerability earlier this year (myDRE is NOT vulnerable for CVE-2021-4428 - Apache Log4J2) and has been dubbed Text4Shell.
However, according to the NCSC the attack surface for Text4Shell is more limited due to Apache Commons Text being used for rather specific applications.
myDRE does NOT use Apache Commons Text.
Read more about the official Text4Shell announcement here (Dutch): https://www.digitaltrustcenter.nl/nieuws/kwetsbaarheid-in-apache-commons-text.
Or a more elaborate article here (English): https://www.darkreading.com/application-security/apache-commons-vulnerability-patch-but-dont-panic.
Related Articles
myDRE is NOT vulnerable for CVE-2022-26809
Last “patch Tuesday” Microsoft disclosed and fixed a large number of serious vulnerabilities in Microsoft Windows. One of these vulnerabilities is identified as CVE-2022-26809 with a CVSS score of 9.8 (scale 1-10). myDRE is NOT vulnerable for ...myDRE NOT vulnerable for CVE-2021-4428 - Apache Log4J2
anDREa does not use Apache Log4J2 nor forks in production. update: 2021/12/13 Workspaces that might have installed Log4J2 on their VM(s), Windows or Linux, are not vulnerable for no Workspace is allowed to have inbound access. Read more ...myDRE is NOT vulnerable for CVE-2022-26809 - Serious Vulnerabilities in Microsoft Windows Workplaces and Servers
Situation Last “patch Tuesday” Microsoft disclosed and fixed a large number of serious vulnerabilities in Microsoft Windows. One of these vulnerabilities is identified as CVE-2022-26809 with a CVSS score of 9.8 (scale 1-10). CVE-2022-26809 is a ...Vulnerability in Apache Log4j (CVE-2021-44228)
Background See: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 Impact on anDREa and all its services Production anDREa does not use Log4J or forks in production. Impact: NONE Actions: no action needed update: 2021/12/13 Workspaces that might have ...Roles in myDRE workspace
Roles are defined per workspace. A myDRE user can have different roles in different workspaces they are part of. The role definitions are defined further in this document: Roles in myDRE workspace.