The Apache Software Foundation (ASF) has released a fix for a critical-severity vulnerability in certain versions of the Apache Commons Text library that could enable remote code execution. However, details about the severity and scope of the vulnerability are still emerging, including the detection of any examples of real-world applications using vulnerable configurations of the impacted library.
The flaw (CVE-2022-42889) exists in Apache Commons Text, a library released in 2017 – and a component of the broader Apache Commons project that provides a number of Java utility programming toolkits – that focuses on algorithms enabling a variety of functionalities around strings. The issue stems from specific ways that the library performs a process called variable interpolation, which is the evaluation of the properties of strings that contain placeholders in order for the placeholders to be replaced with their corresponding values. In order to do so, Apache Commons Text treats text wrapped in “${prefix:name}”, where the “prefix” locates an instance of org.apache.commons.text.lookup.StringLookup, which then performs the interpolation. However, in certain versions of the library that date back to 2018, a number of default lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers, according to ASF in an advisory last week.
“Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used,” according to the advisory. “Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.”
The specific default lookup instances that utilize vulnerable interpolators include the “script” instance, which can execute expressions using the JVM script execution engine; the “dns” instance, which can resolve DNS records; and the “url” instance, which can load values from urls, including from remote servers. Users of vulnerable versions (version 1.5, released in 2018, through 1.9, released in 2020) can update to the fixed version of Apache Commons Text, 1.10.0, which was released Sept. 28.
Researchers with GreyNoise said that they are aware that proof-of-concept (PoC) code for the flaw is available, however, they have not yet seen real-world examples where the vulnerable code is reachable by user input.
