On October 18, 2022, it was reported that one of the Apache modules used in OL Connect is vulnerable to exploits that could result in arbitrary code execution or contact with remote servers. The vulnerability exists in versions 1.5 to 1.9 of the Apache Commons Text module, with OL Connect 2022.1 using version 1.9 of that module. Older versions of Connect also use vulnerable versions of the module.
Our R&D department has assessed the potential risk in OL Connect. Their investigation shows that the vulnerability is in the org.apache.commons.text.StringSubstitutor class (ref: https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/).
OL Connect does not use this class. It does use the WordUtils and StringEscapeUtils classes from the same module, but those classes do not use the vulnerable class either.
OL Connect is therefore not impacted by this vulnerability.
To completely eliminate the threat and prevent it from being flagged by security monitoring systems, OL Connect 2022.2 (slated for release in November 2022) will be using version 1.10 of the Apache Commons Text module.