On October 13th, 2022, a new vulnerability was published (CVE-2022-42889) against the Apache Commons Text library. This vulnerability could allow a remote attacker to execute malicious code on affected systems. This is also known as an RCE, or Remote Code Execution attack.
While current versions of Ignition include a vulnerable version of Commons Text as a dependency, Inductive Automation has reviewed its usage of the library and concluded that the affected functions are not invoked by Ignition and therefore untrusted user input cannot reach them.
No action is required by any Ignition user on any version of Ignition to mitigate the effects of CVE-2022-42889. A future release of Ignition (planned 8.1.23) will update this dependency to version 1.10.0, which includes fixes addressing this CVE.