According to our IT Department, some part of Trados is running with a vulnerability in "Apache Common Text " used in the Java library. It is recommended to upgrade this library to version 1.10.0. Will you be providing a solution? See https://nvd.nist.gov/vuln/detail/CVE-2022-42889#vulnCurrentDescriptionTitle
Always worth reviewing the knowledgebase:
https://gateway.sdl.com/apex/communityknowledge?articleName=000019721
https://gateway.sdl.com/apex/communityknowledge?articleName=000019693
GroupShare is not mentioned in the context of the specific vulnerability you mentioned, but you can run a wider search for "vulnerabilty":
https://gateway.sdl.com/CommunitySearchResults#q=vulnerability&st=f&gsc.tab=0
Phillip Maieski may be able to share details around GroupShare if there is anything missing from the information above.
Thank you for those links - I don't know why I didn't find those articles myself, as I did have a look around the KB before posting.
So, for Studio and Multiterm there is a categorial statement that CVE-2022-42889 vulnerability in Apache Commons Text does *not* affect them; and for WorldServer 11.7.x there is an article saying that there is a hotfix because the vulnerability did apply. However, there does not appear to be any information about the situation with Groupshare.
Unfortunately, I lack the technical background (I'm asking 'for a friend' - i.e. our IT Department) to know what I can conclude from that. Is the vulnerability obviously irrelevant to Groupshare, so that a statement is deemed unnecessary (at least to people who have more understanding of the matter)? Or is it still unknown or unclear whether/how the vulnerability affects Groupshare?
In case it's relevant, we are using Studio 2019 SR1, Multiterm 2019, and Groupshare 2020 SR1 CU04. (We hope to upgrade to 2022 early next year - our organisation is a bit slow in that regard.)
Hi Alex,
Indeed, current we're still missing any article in the RWS Support Gateway for the CVE-2022-42889 vuln. in relation to Trados GroupShare. Our Support team is working to push the relevant details live next possible.
The vuln CVE-2022-42889 itself does affect Trados GroupShare or, to be more precise, the component MultiTerm Online optionally available for it. MultiTerm Online in the currently released versions of GroupShare use an affected version of Apache Commons Text (1.8).
We're currently finalizing the next update for GroupShare, the Cumulative Update 8 (CU8), which will also include a new MultiTerm Online version that uses a newer, unaffected Apache Commons Text (1.10). This CU8 is planned to be available in the coming weeks, latest expected availability is before Christmas.
I hope this helps.
Phillip Maieski | Trados Product Management – RWS Group
Hi Alex,
Indeed, current we're still missing any article in the RWS Support Gateway for the CVE-2022-42889 vuln. in relation to Trados GroupShare. Our Support team is working to push the relevant details live next possible.
The vuln CVE-2022-42889 itself does affect Trados GroupShare or, to be more precise, the component MultiTerm Online optionally available for it. MultiTerm Online in the currently released versions of GroupShare use an affected version of Apache Commons Text (1.8).
We're currently finalizing the next update for GroupShare, the Cumulative Update 8 (CU8), which will also include a new MultiTerm Online version that uses a newer, unaffected Apache Commons Text (1.10). This CU8 is planned to be available in the coming weeks, latest expected availability is before Christmas.
I hope this helps.
Phillip Maieski | Trados Product Management – RWS Group
Excellent, thank you for clarifying that! We'll keep an eye out for the CU8 then.
Translate
