[druid-user] Apache Commons Text

Hi,

Does anyone if Druid 24.0 is affected by the Apache Commons Text Vulnerability disclosed here - GHSL-2022-018: Arbitrary Code Execution in Apache Commons Text - CVE-2022-42889 | GitHub Security Lab

I know Druid 24.0 use commons-text-1.9.0.jar. Hopefully, it is not as bad as log4j issue.

Regards,
Ashok

Hi Ashok,

I’ve been informed that Druid isn’t impacted by the vulnerability because we don’t use the vulnerable functions within the library, and the upgraded library 1.10 will be included in a forthcoming release.

Best,

Mark Herrera
Developer Advocate
Imply

Thanks a lot, Mark. Appreciate the quick response.

Thanks,
Ashok