What is Text4Shell vulnerability? A critical severity security vulnerability affecting the Apache Commons Text library (CVE-2022-42889) Text4Shell that can be exploited and was made public on October 13, 2022. As soon as Couchbase became aware of this issue, we investigated it immediately within our product and security teams, and took actions to protect our customers.
This Text4Shell vulnerability requires that an application is using Apache Commons Text version 1.5-1.9 inclusive and that the application is using the StringSubstitutor class with variable interpolation. It also requires a method for an attacker to provide input which gets passed into the Apache Commons Text StringSubstitutor class.
There are two Couchbase products which use the Apache Commons Text library:
- Couchbase Server Enterprise Edition, when running the Couchbase Analytics service, versions 6.0.0 and later.
- Couchbase Elasticsearch Connector.
We can confirm that both Couchbase Server and the Couchbase Elasticsearch Connectors are not vulnerable to this security issue as they do not make use of the dynamic variable interpolation capabilities of Apache Commons Text.
The Couchbase Server Community Edition is also not impacted by this vulnerability, as this product does not contain the Couchbase Analytics service.
As our internal investigation progresses, we may update this post with any additional relevant information as needed.
*Updated* – Couchbase Server, version 7.1.3 has been released which contains a later patched version of the Apache Commons Text library as a precaution. Additionally the Elasticsearch connector versions 4.3.9, 4.4.2 and later have the updated library as well.