There has been a recent string of media-hyped open-source component vulnerabilities over the last several weeks, which includes Apache Commons-text CVE-2022-42889, with a base critical impact severity, however the vulnerability is actively being reassessed by the National Vulnerability Database team.
While Commons-text is utilized across a number of ArcGIS products, we have validated (using a combination of tools that follow all potential code execution paths and manual review) that the base ArcGIS Enterprise deployment (Portal for ArcGIS, ArcGIS Server, ArcGIS Datastore) and ArcGIS Pro are not vulnerable. A security scanner run against these products may incorrectly flag the issue as a concern. This is because some security scanners detect a vulnerable version of Commons-text, however we have confirmed that the library, when present in these products, is not used a way that would make it vulnerable to this CVE.
As with numerous other third-party components, Commons-text will be updated with the ArcGIS Pro 3.1 release, and we plan to update it across the base ArcGIS Enterprise 11.1 offering.
- Esri Software Security & Privacy