[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to un
From: Alan Coopersmith <alan.coopersmith () oracle ! com>
Date: 2022-10-18 0:44:06
Message-ID: d39aa380-efd7-bb01-c6b4-06c5e2affb3c () oracle ! com
[Download RAW message or body]
On 10/13/22 05:09, Gary D. Gregory wrote:
> Severity: important
>
> Description:
>
> Apache Commons Text performs variable interpolation, allowing properties to be dynamically \
> evaluated and expanded. The standard format for interpolation is "${prefix:name}", where \
> "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that \
> performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of \
> default Lookup instances included interpolators that could result in arbitrary code execution \
> or contact with remote servers. These lookups are: - "script" - execute expressions using the \
> JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load \
> values from urls, including from remote servers Applications using the interpolation defaults \
> in the affected versions may be vulnerable to remote code execution or unintentional contact \
> with remote servers if untrusted configuration values are used. Users are recommended to \
> upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by \
> default.
> Mitigation:
>
> Upgrade to Apache Commons Text 1.10.0.
>
The advisory from the researcher who found it is at:
https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/
--
-Alan Coopersmith- alan.coopersmith@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic