Summary

UPDATE October 27, 2022: Updated to announce our evaluation of our free tools portfolio is complete and they are not affected by this vulnerability. We have also added Security & Event Manager (SEM) to the list of SolarWinds products which use Apache Commons Text4Shell, but do not use the vulnerable methods.

The Apache Software Foundation emailed their security email distro with a security advisory message regarding CVE-2022-42889 and provided mitigation guidance to upgrade to Apache Commons Text 1.10.0. Apache Commons Text versions 1.5 through 1.9 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).

The following SolarWinds products do use Apache Commons Text4Shell but do not use the vulnerable methods:

• AppOptics
• Loggly
• SolarWinds Observability
• Security & Event Manager

We have confirmed all other SolarWinds products ARE NOT KNOWN TO BE AFFECTED by this issue, including the Orion Platform core and all its modules, and our free tools portfolio.