General information

This article contains information related to the remote code execution (RCE) vulnerability in Apache Commons Text, CVE-2022-42889.

This CVE was first announced 2022-10-13, followed by the final classification and investigation published on 2022-10-17.

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation.

Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.

Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Official sites for the CVE:

https://nvd.nist.gov/vuln/detail/CVE-2022-42889

https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om

The Nexus Security team has investigated the impact of remote code execution (RCE) vulnerability in Apache Commons Text (CVE-2022-42889), and the possible impact on our components. The component specific information can be seen in the table below.

Nexus components

This list contains the components from Nexus, and their respective affected versions.

Further information

Commons Text is a general-purpose text manipulation toolkit, described simply as “a library focused on algorithms working on strings”.

Even if you are a programmer who has not knowingly chosen to use it yourself, you may have inherited it as a dependency – part of the software supply chain – from other components you are using.

Also, if you do not code in Java, or are not a programmer at all, you may have one or more applications in your business that contains this library.

Nexus strongly recommends you to contact your other suppliers as well.

Technical information for those further interested in the vulnerability

The Commons Text toolkit includes a handy Java component known as a StringSubstitutor object, created with a Java command like this:

StringSubstitutor interp = StringSubstitutor.createInterpolator();

Once you have created an interpolator, you can use it to rewrite input data in handy ways. See an example below:

String str = "You have-> ${java:version}";
String rep = interp.replace(str);

Example output:   You have-> Java version 19


String str = "You are-> ${env:USER}";
String rep = interp.replace(str);

Example output:   You are-> duck

The replace() function processes its input string as if it is a kind of simple software program in its own right, copying the characters one-by-one except for a variety of special embedded ${...} commands that are very similar to the ones used in Log4J.

Examples from the documentation (derived directly from the source code file String­Substitutor.java) include:

Programming function   Example
--------------------   ----------------------------------
Base64 Decoder:        ${base64Decoder:SGVsbG9Xb3JsZCE=}
Base64 Encoder:        ${base64Encoder:HelloWorld!}
Java Constant:         ${const:java.awt.event.KeyEvent.VK_ESCAPE}
Date:                  ${date:yyyy-MM-dd}  
DNS:                   ${dns:address|apache.org}
Environment Variable:  ${env:USERNAME}
File Content:          ${file:UTF-8:src/test/resources/document.properties}
Java:                  ${java:version} 
Script:                ${script:javascript:3 + 4} 
URL Content (HTTP):    ${url:UTF-8:http://www.apache.org}
URL Content (HTTPS):   ${url:UTF-8:https://www.apache.org}

The dns, script and url functions are particularly dangerous, since they could lead to untrusted data, received from outside your network, but processed or logged on one of the business logic servers inside your network, doing the following:

dns:     Lookup a server name and replace the ${...} string with the given value returned. If attackers use a domain name they themselves own and control, then this lookup will terminate at a DNS server of their choosing. (The owner of a domain name is, in fact, obliged to provide what is known as definitive DNS data for that domain.)

url:     Lookup a server name, connect to it using HTTP or HTTPS, and use what is sent back instead of the string ${...}. The danger posed by this behavior depends on what the replacement string is used for.

script:  Run a command of the attacker's choosing. We were only able to get this function to work with older versions of Java, because there is no longer a JavaScript engine built into Java itself. But many companies and apps still use old-but-still-supported Java versions such as 1.8 (JDK 8) and 11.0 (JDK 11), on which the dangerous ${script:javascript:...} remote code execution interpolation trick works just fine.

-----

String str = "DNS lookup-> ${dns:address|nakedsecurity.sophos.com}";
String rep = interp.replace(str);

Output:   DNS lookup-> 192.0.66.227

-----

String str =  "Stuff sucked from web-> ---BEGIN---${url:UTF8:https://example.com}---END---"
String rep = interp.replace(str);

Output:   Stuff sucked from web-> ---BEGIN---<!doctype html>
<html>
<head>
    <title>Example Domain</title>
    . . .
</head>

<body>
<div>
    <h1>Example Domain</h1>
    [. . .]
</div>
</body>
</html>---END---

-----

String str = "Run some code-> ${script:javascript:6*7}"
String rep = interp.replace(str);

Output:   Run some code-> 42

Sources: https://nakedsecurity.sophos.com/2022/10/18/dangerous-hole-in-apache-commons-text-like-log4shell-all-over-again/