CVE-2022-42889
Incident Report for Mendix Technology B.V.
Resolved
We released Mendix 9.6.14. This version is bundled with an updated non-vulnerable version of the Apache Commons Text library. It was the last MTS version requiring an update: all LTS and MTS versions have now been patched.

We have patched all platform applications where necessary.

All platform-supported Marketplace content containing a vulnerable version of the Apache Commons Text library has been updated as well. We have also informed all developers of community-supported Marketplace content bundled with a vulnerable version of the Apache Commons Text library, urging them to update their Marketplace content.

With that, we will close this incident, as all Mendix platform components have been updated.
Posted Nov 04, 2022 - 10:13 CET
Update
We released Mendix 8.18.22 and 9.12.8. These versions are bundled with an updated non-vulnerable version of the Apache Commons Text library. We are working on the release of patches for all of our LTS and MTS versions. Up next is 9.6. We expect a patch release for all LTS and MTS versions in the course of next week.

We also keep working on updating platform-supported Marketplace content that comes bundled with a vulnerable version of the Apache Commons Text library. We have not identified any Marketplace module where this vulnerability is exploitable, but we will still update all of them to prevent false-positives in security scans.

We will keep you updated on the progress of mitigating the vulnerability throughout the Mendix platform.
Posted Oct 28, 2022 - 18:28 CEST
Update
Today we released Mendix 9.18.2. This version is bundled with an updated non-vulnerable version of the Apache Commons Text library. We are working on the release of patches for all of our LTS and MTS versions. Up next is 8.18, and will then move on to 9.12 and 9.6. We expect a patch release for all LTS and MTS versions in the course of next week.

We also keep working on updating platform-supported Marketplace content that comes bundled with a vulnerable version of the Apache Commons Text library. We have not identified any Marketplace module where this vulnerability is exploitable, but we will still update all of them to prevent false-positives in security scans.

We will keep you updated on the progress of mitigating the vulnerability throughout the Mendix platform.
Posted Oct 27, 2022 - 16:39 CEST
Update
We are working on the release of patches for all of our LTS and MTS versions. We will start with a new patch for 9.18, and will then move on to 8.18, 9.12 and 9.6. We expect a patch release for all LTS and MTS versions in the course of next week.

We are also working on updating platform-supported Marketplace content that comes bundled with a vulnerable version of the Apache Commons Text library. We have not identified any Marketplace module where this vulnerability is exploitable, but we will still update all of them to prevent false-positives in security scans.

We will keep you updated on the progress of mitigating the vulnerability throughout the Mendix platform.
Posted Oct 25, 2022 - 17:04 CEST
Update
Although the Mendix runtime is not vulnerable to this CVE, we continue to work on updating the vulnerable library throughout our platform. We are working on patches for all our LTS and MTS versions.

We will keep you updated on the progress of mitigating the vulnerability throughout the Mendix platform.
Posted Oct 21, 2022 - 15:33 CEST
Update
Today we have released a new version (3.1.1) of the MendixSSO module. This module was not vulnerable to this CVE, as the vulnerable code path was not used, but you might still want to update the module in your projects, to prevent false-positives in security scans. You can download the updated module from the Marketplace (https://marketplace.mendix.com/link/component/111349).

We are working on updating all app templates and Marketplace content which contain the MendixSSO module.

We have released new versions for a number of platform applications, with updated versions of the Apache Commons Text library.

We will keep you updated on the progress of mitigating the vulnerability throughout the Mendix platform.
Posted Oct 20, 2022 - 18:05 CEST
Update
We have analyzed the MendixSSO module (https://marketplace.mendix.com/link/component/111349), as this a Marketplace module that is used by a lot of Mendix applications.

This module is bundled with a vulnerable version of the Apache Commons Text library. However, the security vulnerability is not exploitable. The MendixSSO does not invoke any of the vulnerable functions. Regardless, we will work on releasing a patch for this module. This will prevent false-positives when running a security scan on Mendix applications.

We will keep you updated on the progress of mitigating the vulnerability throughout the Mendix platform.
Posted Oct 19, 2022 - 16:55 CEST
Update
We are continuing to work on a fix for this issue.
Posted Oct 19, 2022 - 16:55 CEST
Identified
We have analyzed the Mendix components and have identified those components that are using the vulnerable Apache Commons Text library.

All versions of the Mendix runtime from Mendix 8 upwards, up to (and including) Mendix 9.18, are bundled with a vulnerable version of the Apache Commons Text library. However, the security vulnerability is not exploitable via the Mendix runtime. The Mendix runtime does not invoke the vulnerable functions and it does not expose the vulnerability to the outside world. Nonetheless, we will work on releasing patches for all of our affected MTS and LTS releases (8.18, 9.6. 9.12 and 9.18). This will prevent false-positives when running a security scan on Mendix runtimes.

We have also identified several platform components that are using a vulnerable version of the Apache Commons Text library. We will update the library for those components, regardless of whether the components were actually vulnerable. We expect to release patches for these components in the coming days.

We will keep you updated on the progress of mitigating the vulnerability throughout the Mendix platform.
Posted Oct 18, 2022 - 16:56 CEST
Investigating
Yesterday a new CVE with critical severity was published (https://nvd.nist.gov/vuln/detail/CVE-2022-42889). This CVE concerns the Apache Commons Text library. It has no known exploits.

We are currently investigating whether any Mendix components are affected and, if so, which.
Posted Oct 18, 2022 - 10:21 CEST
This incident affected: Mendix Services (Marketplace).