[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to un
From:       Alan Coopersmith <alan.coopersmith () oracle ! com>
Date:       2022-10-18 0:44:06
Message-ID: d39aa380-efd7-bb01-c6b4-06c5e2affb3c () oracle ! com
[Download RAW message or body]

On 10/13/22 05:09, Gary D. Gregory wrote:
> Severity: important
> 
> Description:
> 
> Apache Commons Text performs variable interpolation, allowing properties to be dynamically \
> evaluated and expanded. The standard format for interpolation is "${prefix:name}", where \
> "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that \
> performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of \
> default Lookup instances included interpolators that could result in arbitrary code execution \
> or contact with remote servers. These lookups are: - "script" - execute expressions using the \
> JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load \
> values from urls, including from remote servers Applications using the interpolation defaults \
> in the affected versions may be vulnerable to remote code execution or unintentional contact \
> with remote servers if untrusted configuration values are used. Users are recommended to \
> upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by \
> default. 
> Mitigation:
> 
> Upgrade to Apache Commons Text 1.10.0.
> 

The advisory from the researcher who found it is at:
https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/

-- 
         -Alan Coopersmith-                 alan.coopersmith@oracle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris


[prev in list] [next in list] [prev in thread] [next in thread]