Emergency Vulnerability Bulletin - 10/17/22

https://www.redlegg.com/hubfs/Theme-2024/overlay-red.png featured image

By: RedLegg Blog

Apache Commons Text Remote Code Execution Vulnerability

Identifier: CVE-2022-42889

Exploit or POC: No

Update: https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om

Description: CVE-42889 allows for remote code execution. The standard set of Lookup instances found within the Apache Commons Text vulnerability could result in contact with a remote server or elicit arbitrary code execution. This vulnerability impacts versions 1.5 through 1.9. Apache Commons Text satisfies variable interpolation, which allows properties to be dynamically evaluated and expanded. Default formatting for interpolation includes “${prefix:name}”, in which case “prefix” is used to pinpoint an instance of org.apache.commons.text.lookup.StringLookup which achieves the interpolation. These lookups include “script”, which is used to perform expressions using JVM script execution engine, “dns” to resolve dns records, and “url” to load values from urls. To remedy this vulnerability, the vendor has recommended users upgrade to Apache Commons Text 1.10.0.

Mitigation recommendation: Patching is currently the only method of mitigation

RedLegg Action: None at this time.