Apache Commons Text Remote Code Execution Vulnerability
Identifier: CVE-2022-42889
Exploit or POC: No
Update: https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
Description: CVE-42889 allows for remote code execution. The standard set of Lookup instances found within the Apache Commons Text vulnerability could result in contact with a remote server or elicit arbitrary code execution. This vulnerability impacts versions 1.5 through 1.9. Apache Commons Text satisfies variable interpolation, which allows properties to be dynamically evaluated and expanded. Default formatting for interpolation includes “${prefix:name}”, in which case “prefix” is used to pinpoint an instance of org.apache.commons.text.lookup.StringLookup which achieves the interpolation. These lookups include “script”, which is used to perform expressions using JVM script execution engine, “dns” to resolve dns records, and “url” to load values from urls. To remedy this vulnerability, the vendor has recommended users upgrade to Apache Commons Text 1.10.0.
Mitigation recommendation: Patching is currently the only method of mitigation
RedLegg Action: None at this time.