Bug 2135435 (CVE-2022-42889)

Summary: CVE-2022-42889 apache-commons-text: variable interpolation RCE
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: abenaiss, aboyko, aganbat, agogala, aileenc, alazarot, anstephe, asoldano, ataylor, avibelli, balejosg, bbaranow, bbuckingham, bcourt, bgeorges, bishop, bmaxwell, boliveir, boris.m, brian.stansberry, btotty, cdewolf, chazlett, clement.escoffier, cmoulliard, csutherl, dandread, darran.lofthouse, dkreling, dosoudil, ehelms, emingora, eric.wittmann, etirelli, fjuma, fmongiar, gjospin, gmalinko, gmorling, gsmet, hamadhan, ibek, ikanello, iweiss, jangerrit.kootstra, janstey, jburrell, jcantril, jclere, jnethert, jniu, jnoh, jochrist, jpavlik, jpechane, jpoth, jrokos, jross, jscholz, jsherril, jstastny, juholmes, jwon, kaycoth, Ken.Fowler, krathod, kverlaen, kyoshida, lgao, lthon, lzap, mhulan, mmadzin, mmccune, mmclaugh, mnovotny, mokumar, mosmerov, msochure, msvehla, myarboro, nmoumoul, nwallace, orabin, pantinor, pcreech, pdelbell, pdrozd, peholase, periklis, pgallagh, pjindal, pmackay, probinso, proguski, pskopek, rbeyel, rchan, rdey, rgodfrey, rguimara, rkieley, rrajasek, rruss, rstancel, rsvoboda, sbalasub, sbiarozk, sdouglas, sfowler, smaestri, sthorger, szappis, tcunning, tom.jenkinson, vkumar, yfang
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: commons-text 1.10.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-10 20:33:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2135924, 2135926, 2150122, 2159406    
Bug Blocks: 2135067    

Description Chess Hazlett 2022-10-17 16:23:22 UTC 
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
Comment 11 Rodrigo A B Freire 2022-10-18 10:46:47 UTC 
Statement: 

eap-7, eapxp-4, camel-k, camel-q have maven references to the affected package but does not ship it nor use the code
Comment 13 Rodrigo A B Freire 2022-10-18 11:17:49 UTC 
After further evaluation, we found that EAP has apache-commons-text dependency explicitly declared under exclusions :

https://github.com/jbossas/jboss-eap7/blob/EAP_7.4.7.CR3-dev/pom.xml

Hence marking EAP as not affected and closing the EAP tracker.
Comment 18 Chess Hazlett 2022-10-18 19:30:48 UTC 
adding openshift-4 and satellite-6 affected/fix
Comment 25 ir. Jan Gerrit Kootstra 2022-10-20 17:51:08 UTC 
Is there any mitigation for this vulnerability?
Comment 36 Ken Fowler 2022-11-01 12:57:51 UTC 
Any updates planned for Satellite Server 6 to fix this vulnerability?
Comment 37 boris.m 2022-11-06 11:57:44 UTC 
business-central.war/WEB-INF/lib/commons-text-1.9.jar exists in Redhat process automation service. Any updates planned for RHPAM 7.13.1?
Comment 45 errata-xmlrpc 2022-11-28 14:40:16 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11.1

Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652
Comment 48 errata-xmlrpc 2022-12-07 08:20:08 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2022:8876 https://access.redhat.com/errata/RHSA-2022:8876
Comment 49 errata-xmlrpc 2022-12-08 13:25:45 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.18.3

Via RHSA-2022:8902 https://access.redhat.com/errata/RHSA-2022:8902
Comment 52 Product Security DevOps Team 2022-12-10 20:32:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-42889
Comment 53 errata-xmlrpc 2022-12-14 13:15:19 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.5

Via RHSA-2022:9023 https://access.redhat.com/errata/RHSA-2022:9023
Comment 54 jnoh 2022-12-30 17:09:20 UTC 
Could you provide status updates on Red Hat Satellite 6  **candlepin**?

Thank you!
Comment 55 errata-xmlrpc 2023-01-18 14:53:13 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.12 for RHEL 8

Via RHSA-2023:0261 https://access.redhat.com/errata/RHSA-2023:0261
Comment 57 errata-xmlrpc 2023-01-26 09:42:51 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Q 2.13.2

Via RHSA-2023:0469 https://access.redhat.com/errata/RHSA-2023:0469
Comment 58 errata-xmlrpc 2023-03-08 14:55:05 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.7.7

Via RHSA-2023:1006 https://access.redhat.com/errata/RHSA-2023:1006
Comment 61 errata-xmlrpc 2023-04-05 23:27:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2023:1524 https://access.redhat.com/errata/RHSA-2023:1524
Comment 63 errata-xmlrpc 2023-04-12 11:58:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:1655 https://access.redhat.com/errata/RHSA-2023:1655
Comment 69 errata-xmlrpc 2023-04-26 05:32:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:1866 https://access.redhat.com/errata/RHSA-2023:1866
Comment 70 errata-xmlrpc 2023-05-03 13:19:55 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097
Comment 71 errata-xmlrpc 2023-05-04 15:57:06 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2023:2135 https://access.redhat.com/errata/RHSA-2023:2135
Comment 73 errata-xmlrpc 2023-05-17 16:19:27 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.12

Via RHSA-2023:3195 https://access.redhat.com/errata/RHSA-2023:3195
Comment 74 errata-xmlrpc 2023-05-17 17:50:41 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3198 https://access.redhat.com/errata/RHSA-2023:3198
Comment 76 errata-xmlrpc 2023-05-24 17:10:48 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2023:3299 https://access.redhat.com/errata/RHSA-2023:3299
Comment 78 errata-xmlrpc 2023-10-30 12:34:59 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2023:6179 https://access.redhat.com/errata/RHSA-2023:6179
Comment 79 errata-xmlrpc 2023-11-15 19:24:30 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.14

Via RHSA-2023:7288 https://access.redhat.com/errata/RHSA-2023:7288
Comment 83 errata-xmlrpc 2024-02-12 10:23:56 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2024:0776 https://access.redhat.com/errata/RHSA-2024:0776
Comment 84 errata-xmlrpc 2024-02-12 10:25:07 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.14

Via RHSA-2024:0777 https://access.redhat.com/errata/RHSA-2024:0777
Comment 85 errata-xmlrpc 2024-02-12 10:36:37 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.12

Via RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778
Comment 86 errata-xmlrpc 2024-02-12 10:43:36 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2024:0775 https://access.redhat.com/errata/RHSA-2024:0775
Comment 88 errata-xmlrpc 2024-05-30 20:24:56 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.7.0

Via RHSA-2024:3527 https://access.redhat.com/errata/RHSA-2024:3527
Comment 89 errata-xmlrpc 2025-02-24 00:07:13 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7

Via RHSA-2025:1746 https://access.redhat.com/errata/RHSA-2025:1746
Comment 90 errata-xmlrpc 2025-02-24 00:09:09 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7

Via RHSA-2025:1747 https://access.redhat.com/errata/RHSA-2025:1747