Apache Commons Text Vulnerability
- Ylva Andersson
General information
This article contains information related to the remote code execution (RCE) vulnerability in Apache Commons Text, CVE-2022-42889.
This CVE was first announced 2022-10-13, followed by the final classification and investigation published on 2022-10-17.
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation.
Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.
Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
Official sites for the CVE:
https://nvd.nist.gov/vuln/detail/CVE-2022-42889
https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
The Nexus Security team has investigated the impact of remote code execution (RCE) vulnerability in Apache Commons Text (CVE-2022-42889), and the possible impact on our components. The component specific information can be seen in the table below.
Nexus components
This list contains the components from Nexus, and their respective affected versions.
Latest update date of this article
2022-11-04
Table of contents
Component | Affected versions CVE-2022-42889 | Comment |
|---|---|---|
Smart ID Certificate Manager | Not affected | Does not use Apache Commons-text |
Nexus OCSP Responder | Not affected | Does not use Apache Commons-text |
Nexus Timestamp Server | Not affected | Does not use Apache Commons-text |
Smart ID Desktop App/Client | Not affected | Does not use Apache Commons-text |
Smart ID Mobile App | Not affected | Does not use Apache Commons-text |
Nexus Card SDK | Not affected | Previous information stated that Card SDK was indirectly affected. Further investigations show that Card SDK is not affected at all. This is the case both in stand-alone mode, or when used with Identity Manager. |
Smart ID Physical Access | Not affected | Does not use Apache Commons-text |
Smart ID Digital Access (previously named Hybrid Access Gateway – HAG) | Not affected | Does not use Apache Commons-text |
Smart ID Identity Manager/PRIME |
| Apache Commons-text is only used for string sanitizing.
|
Smart ID Self-Service (Angular/SpringBoot-based) |
| Apache Commons-text is only used for string sanitizing.
|
Smart ID Self-Service Legacy USSP (Wicket-based) |
| Apache Commons-text is only used for string sanitizing. |
Smart ID Messaging component - Hermod | Not affected | Does not use Apache Commons-text |
Nexus ID06 Service | Not affected | Services patched with Apache Commons text 1.10.0 (2022-10-18) |
Nexus Go Cards | Not affected | Does not use Apache Commons-text |
Further information
Commons Text is a general-purpose text manipulation toolkit, described simply as “a library focused on algorithms working on strings”.
Even if you are a programmer who has not knowingly chosen to use it yourself, you may have inherited it as a dependency – part of the software supply chain – from other components you are using.
Also, if you do not code in Java, or are not a programmer at all, you may have one or more applications in your business that contains this library.
Nexus strongly recommends you to contact your other suppliers as well.
Technical information for those further interested in the vulnerability
The Commons Text toolkit includes a handy Java component known as a StringSubstitutor object, created with a Java command like this:
StringSubstitutor interp = StringSubstitutor.createInterpolator();
Once you have created an interpolator, you can use it to rewrite input data in handy ways. See an example below:
String str = "You have-> ${java:version}";
String rep = interp.replace(str);
Example output: You have-> Java version 19
String str = "You are-> ${env:USER}";
String rep = interp.replace(str);
Example output: You are-> duckThe replace() function processes its input string as if it is a kind of simple software program in its own right, copying the characters one-by-one except for a variety of special embedded ${...} commands that are very similar to the ones used in Log4J.
Examples from the documentation (derived directly from the source code file StringSubstitutor.java) include:
Programming function Example
-------------------- ----------------------------------
Base64 Decoder: ${base64Decoder:SGVsbG9Xb3JsZCE=}
Base64 Encoder: ${base64Encoder:HelloWorld!}
Java Constant: ${const:java.awt.event.KeyEvent.VK_ESCAPE}
Date: ${date:yyyy-MM-dd}
DNS: ${dns:address|apache.org}
Environment Variable: ${env:USERNAME}
File Content: ${file:UTF-8:src/test/resources/document.properties}
Java: ${java:version}
Script: ${script:javascript:3 + 4}
URL Content (HTTP): ${url:UTF-8:http://www.apache.org}
URL Content (HTTPS): ${url:UTF-8:https://www.apache.org}The dns, script and url functions are particularly dangerous, since they could lead to untrusted data, received from outside your network, but processed or logged on one of the business logic servers inside your network, doing the following:
dns: Lookup a server name and replace the ${...} string with the given value returned. If attackers use a domain name they themselves own and control, then this lookup will terminate at a DNS server of their choosing. (The owner of a domain name is, in fact, obliged to provide what is known as definitive DNS data for that domain.)
url: Lookup a server name, connect to it using HTTP or HTTPS, and use what is sent back instead of the string ${...}. The danger posed by this behavior depends on what the replacement string is used for.
script: Run a command of the attacker's choosing. We were only able to get this function to work with older versions of Java, because there is no longer a JavaScript engine built into Java itself. But many companies and apps still use old-but-still-supported Java versions such as 1.8 (JDK 8) and 11.0 (JDK 11), on which the dangerous ${script:javascript:...} remote code execution interpolation trick works just fine.
-----
String str = "DNS lookup-> ${dns:address|nakedsecurity.sophos.com}";
String rep = interp.replace(str);
Output: DNS lookup-> 192.0.66.227
-----
String str = "Stuff sucked from web-> ---BEGIN---${url:UTF8:https://example.com}---END---"
String rep = interp.replace(str);
Output: Stuff sucked from web-> ---BEGIN---<!doctype html>
<html>
<head>
<title>Example Domain</title>
. . .
</head>
<body>
<div>
<h1>Example Domain</h1>
[. . .]
</div>
</body>
</html>---END---
-----
String str = "Run some code-> ${script:javascript:6*7}"
String rep = interp.replace(str);
Output: Run some code-> 42Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions