Applies to
• Documentum xCP 22.2
• Documentum xCP Designer 22.2
Summary
Are Documentum xCP components affected by CVE-2022-42889 the commons-text library vulnerability?
Resolution
Documentum XCP 22.2 is the first version of the platform that is shipped with the Apache commons-text java library. This library is focused on algorithms for working with strings that developers may want to consume. CVE-2022-42889 describes a vulnerability whilst using the StringSubstitutor API of this library – https://commons.apache.org/proper/commons-text/security.html
This specific API is not consumed in Documentum XCP code-line and therefore it is safe to continue to consume the 1.9 version of the commons-text library that you may find in your XCP built application.
Future versions of the Documentum XCP stack will be updated to at least version 1.10 , customers consuming the Cloud Edition will be able to take the latest security release from November 2022 onwards and this library will be updated to 1.10 or later
For other OpenText Products please refer to Knowledge Base articles that apply to the particular Product Line you need to check.
Additional Information
Important: Only the product versions listed in the “Applies to” section are affected by this vulnerability. Product versions not listed in the “Applies to” section are not affected by this vulnerability.