The Apache Software Foundation (ASF) has released a fix for a critical-severity vulnerability in certain versions of the Apache Commons Text library that could enable remote code execution. However, details about the severity and scope of the vulnerability are still emerging, including the detection of any examples of real-world applications using vulnerable configurations of the impacted library.
The flaw (CVE-2022-42889) exists in Apache Commons Text, a library released in 2017 - and a component of the broader Apache Commons project that provides a number of Java utility programming toolkits - that focuses on algorithms enabling a variety of functionalities around strings. The issue stems from specific ways that the library performs a process called variable interpolation, which is the evaluation of the properties of strings that contain placeholders in order for the placeholders to be replaced with their corresponding values. In order to do so, Apache Commons Text treats text wrapped in "${prefix:name}", where the "prefix" locates an instance of org.apache.commons.text.lookup.StringLookup, which then performs the interpolation. However, in certain versions of the library that date back to 2018, a number of default lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers, according to ASF in an advisory last week.
“Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used,” according to the advisory. “Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.”
The specific default lookup instances that utilize vulnerable interpolators include the "script" instance, which can execute expressions using the JVM script execution engine; the "dns" instance, which can resolve DNS records; and the "url" instance, which can load values from urls, including from remote servers. Users of vulnerable versions (version 1.5, released in 2018, through 1.9, released in 2020) can update to the fixed version of Apache Commons Text, 1.10.0, which was released Sept. 28.
Researchers with GreyNoise said that they are aware that proof-of-concept (PoC) code for the flaw is available, however, they have not yet seen real-world examples where the vulnerable code is reachable by user input.
“We are aware of Proof-of-Concept code for CVE-2022-42889 that can trigger the vulnerability in an intentionally vulnerable and controlled environment,” said GreyNoise Research in a statement. “We are not aware of any examples of widely deployed real-world applications utilizing the Apache Commons Text library in a vulnerable configuration that would allow attackers to exploit the vulnerability with user controlled data.”
While details are still emerging for this flaw, CVE-2022-42889 is another reminder of the potential security risks that open-source software projects continue to pose - as highlighted last year by the infamous flaw in the Log4j Java logging library - particularly because Apache is ubiquitous and often exposed to the public internet, and the vulnerable package itself has existed since 2018, meaning it could be pervasive, said Casey Ellis, founder and CTO at Bugcrowd.
“It's a good time for organizations to ensure a solid understanding of where Apache, and especially Apache Commons Text, exists in their attack surface, plan for patching it, and prepare for the possibility of emergency patching or mitigation if exploitation takes off.”
“The good news is that exploiting the vulnerability appears to have a number of prerequisites, and for now we aren't seeing widespread exploitation,” said Ellis. “That said, it's a good time for organizations to ensure a solid understanding of where Apache, and especially Apache Commons Text, exists in their attack surface, plan for patching it, and prepare for the possibility of emergency patching or mitigation if exploitation takes off.”
Christopher Budd, senior manager of Threat Research at Sophos, said that while some reports have claimed that CVE-2022-42889 is similar to Log4j, so far "this does not appear to be the case."
"Log4j is a widely used Java library and any webserver running the vulnerable version could have been easily exploited while the Common Text library isn’t as prevalent," said Budd. "Additionally, Log4J can be exploited with generic code while this new vulnerability likely requires code that is specific and targeted. Finally, most applications will not be passing unsanitized user provided values to the library’s vulnerable functions, reducing or negating the exploitation risks."
GreyNoise researchers said that the individual implementation of each application using Apache Commons Text determines whether the vulnerable code could be reached by user input. In order to determine whether this vulnerable code is reached by user input, potentially impacted applications should be reviewed for all the uses of the vulnerable library, usage of the vulnerable function within the library and the usage of user-controlled input within the vulnerable library function.
“All above must be true to exploit this vulnerability given the information available at this time,” said GreyNoise Research. “At this point in time, the attacker would need to determine if the vulnerable version of Apache Commons Text library was used in the particular application. After that, they would have to perform the source code review of the application and develop a Proof-of-Concept exploit code. If a certain application gets publicly confirmed [as] vulnerable, the exploitation process would become fairly trivial.”
The Apache Commons Text flaw is also reminiscent of a recent, critical-severity vulnerability (CVE-2022-33980) in another Apache Commons component called Apache Commons Configuration, fixed in July. Apache Commons Configuration, which provides an interface for managing and accessing configuration objects, also included a vulnerable set of default lookup instances with interpolators that could result in code execution. In a July analysis of that Apache Commons Configuration flaw (CVE-2022-33980), researchers with Snyk said that “many systems permit the use of various types of code in configuration files, and there are legitimate use cases to include string and variable interpolation in the configuration of applications and systems.”
“This is not Log4Shell all over again,” said Snyk researchers in July. “This is simple configuration manipulation. If someone can change your configuration with ease, or the dynamic resources it may be pointing to, odds are you have bigger fish to fry.”