I have apache-geode-1.15.1 installed on multiple Linux servers. Unfortunately there is a security vulnerability CVE-2022-42889 related to Apache Commons Text4Shell because of the file commons-text-1.9.jar present in the following folders.
<GEODE_HOME>/locator01/GemFire_gemfire/services/http/0.0.0.0_7070_pulse_xxxxxxxx/webapp/WEB-INF/lib/commons-text-1.9.jar <GEODE_HOME>/locator01/GemFire_root/services/http/0.0.0.0_7070_pulse_xxxxxxxx/webapp/WEB-INF/lib/commons-text-1.9.jar
From this link [1], the mitigation is to upgrade to Apache Commons Text 1.10.0. I have upgraded the affected jar files in the past, but they get deleted and a new set of commons-text-1.9.jar files keep appearing under the new folders 0.0.0.0_7070_pulse_xxxxxxxx.
[1] https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
Any help is appreciated. Thank you!
It seems that the answer to the problem is in the Apache Geode installer itself.
Inside the folder <GEODE_HOME>/tools/Pulse, there is the file geode-pulse-1.15.1.war. Inside that war file, there is the file geode-pulse-1.15.1.war/WEB-INF/lib/commons-text-1.9.jar which is causing the issue.
While waiting for the official release from Apache Geode, as a temporary workaround, I replaced the file commons-text-1.9.jar with commons-text-1.10.0.jar, updated the MANIFEST file under geode-pulse-1.15.1.war/META-INF, and created a new geode-pulse-1.15.1.war file including the updated files.
After the edits, the file commons-text-1.9.jar did not appear anymore.