Statement on CVE-2022-42889 (Commons Text)

October 24, 2022

A vulnerability was recently disclosed against versions 1.9 and below of the Apache Commons Text library. The details of this vulnerability are discussed here:

We have performed a detailed code audit, and can confirm that HAPI FHIR and Smile CDR are not vulnerable to this issue. The issue applies to a specific feature of Commons-Text known as the "Interpolator String Lookup" and this feature is not used by these products. However, users may wish to upgrade anyhow as an added precaution.

HAPI FHIR users may wish to manually upgrade the Commons-Text library to version 1.10 in their project pom.xml file (or equivalent). This has been tested and confirmed to be a safe upgrade.

A Smile CDR point release will be published shortly which upgrades this library.