We’re getting reports from customers that automatic security scanners are flagging Search Guard because of its dependency on insecure versions of Apache Common Text (see CVE-2022-42889.)
Is there any official information from Search Guard related to this CVE? Are they affected? Is there a way to mitigate? How/when can we get rid of the vulnerable dependency (to, at the very least, satisfy automated scanners)?
We ship apache common-text 1.2 with Search Guard and, according to the description of CVE-2022-42889 only versions between 1.5 and 1.9 are affected. So for us it looks like that Search Guard is not affected by this CVE. Which exact Search Guard versions are your customers using?
In addition we are not use the broken variable interpolation functionality explicitly nor expose them directly.
So the risk, even if we would ship a vulnerable version, would be very low. And if customers are not using the enterprise version of Search Guard apache common-text would not be loaded by the classloader.