Summary
A zero-day exploit for a vulnerability code-named Text4Shell (CVE-2022-42889) was publicly released on October 12th 2022.
The Centreon Security Group has conducted an initial assessment across the codebase to determine the impact of this vulnerability.
The vulnerability is embedded in a java component named Apache-commons-text, in versions from 1.5 to 1.10.
It can only be exploited in a very specific context.
Impact
Centreon components that could have been affected are the ones that uses Java code:
-
Centreon MAP server
-
Centreon MBI
-
AS400 plugin
No other component (including opensource) is affected.
No Centreon Cloud service is affected.
State of investigation
MAP, MBI and AS400 plugin do not use this dependency in any version.
If this library is present on your Centreon environment you need to check which software uses it.
MAP, MBI and AS400 plugin are not affected by Text4Shell.
---- UPDATE 11/08/2022 17.00 ----
The library commons-text-1.9.jar is actually retrieved indirectly by one of our MAP software dependencies.
Even if present on the file system, this library is not used by any component of Centreon.
Therefore, there is no way the flaw can be exploited through the Centreon product.
We will generate new versions of MAP with the commons text library removed.
However if you would like your vulnerability scanners to not raise a false positive, there is no harm in simply deleting the library file located in /usr/share/centreon/www/modules/centreon-map4-web-client/editor/WEB-INF/lib/