www.belgium.be Logo of the federal government

Remote Code Execution vulnerability in Apache commons text library

Reference: 
Advisory #2022-033
Version: 
1.0
Affected software: 
Apache Commons Text 1.5 through 1.9
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 

CVE-2022-42889 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://blogs.apache.org/security/entry/cve-2022-42889

Risks

The Apache Commons Text team recently disclosed CVE-2022-42889. Software using the stringSubstitutor API without properly sanitizing user input, is vulnerable to Remote Code Execution (RCE). The attack does not require any user interaction and can be executed remotely. The impact to confidentiality, integrity and availability is high.

The Apache Commons Text team is not currently aware of any applications that pass untrusted input to the substitutor and thus would have been impacted by this problem prior to Apache Commons Text 1.10.0.

Although PoC code is available, this CVE has not been exploited in the wild.

Description

Apache Commons Text is a low-level library for performing various text operations, such as escaping, calculating string differences, and substituting placeholders in the text with values looked up through interpolators. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation.

Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are:

  • "script": execute expressions using the JVM script execution engine (javax.script)
  • "dns": resolve dns records
  • "url": load values from urls, including from remote servers

Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.

For that reason, the Apache Commons Text team have decided to update the configuration to be more "secure by default", disabling the dns, url and script interpolators. This mitigates the impact of a failure to validate inputs and will not give an attacker access to these interpolators. However, it is still recommended that users treat untrusted input with care.

This issue is different from Log4Shell (CVE-2021-44228) because in Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input.

In the Apache Common Text issue, the relevant method is explicitly intended and clearly documented to perform string interpolation, so it is much less likely that applications would inadvertently pass in untrusted input without proper validation.

Recommended Actions

The Centre for Cyber security Belgium recommends system administrators to identify software which includes this library as a supply-chain dependency. Once identified, patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity.

Upgrade

Upgrade to Apache Common Text v1.10.0.

Mitigate/Workaround

Properly sanitize user input when accepting and processing untrusted data.

More Information

Monitor/Detect

The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/

https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om

https://nvd.nist.gov/vuln/detail/CVE-2022-42889

https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/