SAP Knowledge Base Article - Preview

3278497 - [CVE-2022-42889] FAQ & Workaround for Security Note 3271523


SAP Commerce uses a version of open source Java library Apache Commons Text which has vulnerabilities CVE-2022-42889


1. Which customers are affected?  
    - All customers that use Apache Commons Text version 1.5 to 1.9 and interpolation for “StringSubstitutor” in their SAP Commerce code. 

2. You have an SAP Commerce version which is lower where the fix is implemented according to the SAP Security Note 3271523. Are the lower SP versions affected too?   
    - Yes.  

3. Is it possible to get the fix for lower SP's?  
    - Yes. The fix is to follow the “Resolution” section above. 

4. Is there any workaround in lower SP levels, where the fix is not implemented?  
    - Yes, but only as a temporarily fix. See the “Workaround” section. 

5. Will the upgrade require down time?  
    - No. 

6. Are any other components, other than the component CEC-COM-CPS-COR, impacted by applying the fix?  
    - No

7. Is applying the patch enough or do we need to perform any manual configuration steps after deploying it?  
    - The patch is enough. 

8. Is there any workaround to fix this vulnerability temporarily?  
    - Yes, but only as a temporarily fix. See the “Workaround” section.

 9. I have implemented the workaround. Am I still affected?  
    - No. However there is possibility of human error.  

10. Is applying the patch enough or we need to perform the workaround after patching, as well?  
    - The patch is a long-term resolution.    



  • SAP Commerce
  • SAP Commerce Cloud


SAP Commerce Cloud all versions ; SAP Commerce all versions


KBA , CEC-SCC-PLA-PL , Platform , Known Error

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.