Remote Code Execution vulnerability in Apache commons text library
CVE-2022-42889 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
https://blogs.apache.org/security/entry/cve-2022-42889
Risks
The Apache Commons Text team recently disclosed CVE-2022-42889. Software using the stringSubstitutor API without properly sanitizing user input, is vulnerable to Remote Code Execution (RCE). The attack does not require any user interaction and can be executed remotely. The impact to confidentiality, integrity and availability is high.
The Apache Commons Text team is not currently aware of any applications that pass untrusted input to the substitutor and thus would have been impacted by this problem prior to Apache Commons Text 1.10.0.
Although PoC code is available, this CVE has not been exploited in the wild.
Description
Apache Commons Text is a low-level library for performing various text operations, such as escaping, calculating string differences, and substituting placeholders in the text with values looked up through interpolators. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation.
Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are:
- "script": execute expressions using the JVM script execution engine (javax.script)
- "dns": resolve dns records
- "url": load values from urls, including from remote servers
Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.
For that reason, the Apache Commons Text team have decided to update the configuration to be more "secure by default", disabling the dns, url and script interpolators. This mitigates the impact of a failure to validate inputs and will not give an attacker access to these interpolators. However, it is still recommended that users treat untrusted input with care.
This issue is different from Log4Shell (CVE-2021-44228) because in Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input.
In the Apache Common Text issue, the relevant method is explicitly intended and clearly documented to perform string interpolation, so it is much less likely that applications would inadvertently pass in untrusted input without proper validation.
Recommended Actions
The Centre for Cyber security Belgium recommends system administrators to identify software which includes this library as a supply-chain dependency. Once identified, patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity.
Upgrade
Upgrade to Apache Common Text v1.10.0.
Mitigate/Workaround
Properly sanitize user input when accepting and processing untrusted data.
More Information
Monitor/Detect
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/
https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
https://nvd.nist.gov/vuln/detail/CVE-2022-42889
https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/