What is Text4Shell vulnerability? A critical severity security vulnerability affecting the Apache Commons Text library (CVE-2022-42889) Text4Shell that can be exploited and was made public on October 13, 2022. As soon as Couchbase became aware of this issue, we investigated it immediately within our product and security teams, and took actions to protect our customers.

This Text4Shell vulnerability requires that an application is using Apache Commons Text version 1.5-1.9 inclusive and that the application is using the StringSubstitutor class with variable interpolation. It also requires a method for an attacker to provide input which gets passed into the Apache Commons Text StringSubstitutor class.

There are two Couchbase products which use the Apache Commons Text library:

    • Couchbase Server Enterprise Edition, when running the Couchbase Analytics service, versions 6.0.0 and later.
    • Couchbase Elasticsearch Connector.

We can confirm that both Couchbase Server and the Couchbase Elasticsearch Connectors are not vulnerable to this security issue as they do not make use of the dynamic variable interpolation capabilities of Apache Commons Text. 

The Couchbase Server Community Edition is also not impacted by this vulnerability, as this product does not contain the Couchbase Analytics service.

As our internal investigation progresses, we may update this post with any additional relevant information as needed.

*Updated* РCouchbase Server, version 7.1.3 has been released which contains a later patched version of the Apache Commons Text library as a precaution.   Additionally the Elasticsearch connector versions 4.3.9, 4.4.2 and later have the updated library as well.

If you have any questions, please visit the Couchbase Community Forums. If you are a Couchbase Enterprise customer and have additional questions, please open a support case.


Posted by Ian McCloy, Director Product Management

Ian McCloy is the Director of the Platform and Security Product Management Group for Couchbase and lives in the United Kingdom. His dedicated team is responsible for the Reliability, Availability, Serviceability and Security architecture of Couchbase Server and the SaaS Database, Capella. This team also own cloud-native platforms like the Couchbase Kubernetes Autonomous Operator. Ian has a vast range of experience as a Software Engineer, Technical Support Engineer, Quality Assurance Engineer and Systems Administrator. Ian has led global technical teams for the majority of his 20 year professional career and holds several patents in the areas of information security, virtualisation and hardware design. https://www.linkedin.com/in/ianmccloy/

Leave a reply