3278497 - [CVE-2022-42889] FAQ & Workaround for Security Note 3271523

SAP Commerce uses a version of open source Java library Apache Commons Text which has vulnerabilities CVE-2022-42889. 

FAQ 

1. Which customers are affected?  
    - All customers that use Apache Commons Text version 1.5 to 1.9 and interpolation for “StringSubstitutor” in their SAP Commerce code. 

2. You have an SAP Commerce version which is lower where the fix is implemented according to the SAP Security Note 3271523. Are the lower SP versions affected too?   
    - Yes.  

3. Is it possible to get the fix for lower SP's?  
    - Yes. The fix is to follow the “Resolution” section above. 

4. Is there any workaround in lower SP levels, where the fix is not implemented?  
    - Yes, but only as a temporarily fix. See the “Workaround” section. 

5. Will the upgrade require down time?  
    - No. 

6. Are any other components, other than the component CEC-COM-CPS-COR, impacted by applying the fix?  
    - No

7. Is applying the patch enough or do we need to perform any manual configuration steps after deploying it?  
    - The patch is enough. 

8. Is there any workaround to fix this vulnerability temporarily?  
    - Yes, but only as a temporarily fix. See the “Workaround” section.

 9. I have implemented the workaround. Am I still affected?  
    - No. However there is possibility of human error.  

10. Is applying the patch enough or we need to perform the workaround after patching, as well?  
    - The patch is a long-term resolution.