A critical severity security vulnerability known as Text4Shell, affecting the Apache Commons Text library (CVE-2022-42889) was made public on October 13, 2022. As soon as Couchbase became aware of this issue, we investigated it immediately within our product and security teams, and took actions to protect our customers.

This vulnerability requires that an application is using Apache Commons Text version 1.5-1.9 inclusive and that the application is using the StringSubstitutor class with variable interpolation. It also requires a method for an attacker to provide input which gets passed into the Apache Commons Text StringSubstitutor class.

There are two Couchbase products which use the Apache Commons Text library:

    • Couchbase Server Enterprise Edition, when running the Couchbase Analytics service, versions 6.0.0 and later.
    • Couchbase Elasticsearch Connector.

We can confirm that both Couchbase Server and the Couchbase Elasticsearch Connectors are not vulnerable to this security issue as they do not make use of the dynamic variable interpolation capabilities of Apache Commons Text. 

The Couchbase Server Community Edition is also not impacted by this vulnerability, as this product does not contain the Couchbase Analytics service.

As our internal investigation progresses, we may update this post with any additional relevant information as needed.

*Updated* – Couchbase Server, version 7.1.3 has been released which contains a later patched version of the Apache Commons Text library as a precaution

If you have any questions, please visit the Couchbase Community Forums. If you are a Couchbase Enterprise customer and have additional questions, please open a support case.

Author

Posted by Ian McCloy, Principal Product Manager

Ian McCloy is a Principal Product Manager for Couchbase and lives in the United Kingdom. He focuses on security features across the Couchbase portfolio of on-prem, cloud and edge products. Ian has a vast range of experience as a Software Engineer, Technical Support Engineer, Quality Assurance Engineer and Systems Administrator. Ian has lead global technical teams for the majority of his 20 year professional career and holds several patents in the areas of information security, virtualisation and hardware design.

Leave a reply