Bug 2136128 (CVE-2022-41852)

Summary: CVE-2022-41852 JXPath: untrusted XPath expressions may lead to RCE attack
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, alazarot, asoldano, balejosg, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, emingora, etirelli, fjuma, fmongiar, gjospin, gmalinko, hhorak, ibek, iweiss, janstey, jnethert, jochrist, jolee, jorton, jpavlik, jpoth, jrokos, jross, jschatte, jscholz, jwon, kverlaen, lgao, mizdebsk, mkoncek, mmclaugh, mnovotny, mokumar, mosmerov, msochure, msvehla, nwallace, pantinor, pdelbell, peholase, pjindal, pmackay, rguimara, rrajasek, rstancel, smaestri, tcunning, tom.jenkinson, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Apache Commons JXPath package. This flaw allows an attacker to use the interpreter to execute untrusted expressions and a remote code attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-03 18:44:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2136132, 2136133, 2138736, 2138737, 2138738, 2138739, 2138740, 2138741    
Bug Blocks: 2136129    

Description Patrick Del Bello 2022-10-19 12:04:54 UTC 
Those using JXPath to interpret untrusted XPath expressions may be vulnerable to a remote code execution attack. All JXPathContext class functions processing a XPath string are vulnerable except compile() and compilePath() function. The XPath expression can be used by an attacker to load any Java class from the classpath resulting in code execution.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133
Comment 1 Patrick Del Bello 2022-10-19 12:11:37 UTC 
Created apache-commons-jxpath tracking bugs for this issue:

Affects: fedora-all [bug 2136132]


Created javapackages-bootstrap tracking bugs for this issue:

Affects: fedora-all [bug 2136133]
Comment 4 Marián Konček 2022-10-24 10:22:47 UTC 
There is an ongoing discussion in the upstream project https://github.com/apache/commons-jxpath/pull/25.
It boils don to whether a change in behaviour is acceptable and whether to implements whitelists / blacklists and whether to enable them by default.
I don't know what position to take, I would like ask the security team for opinion.
Comment 6 Marián Konček 2022-10-26 11:25:03 UTC 
FYI, no package in Fedora requires apache-commons-jxpath.
Comment 7 Marián Konček 2022-10-26 11:27:15 UTC 
Correction: maven BuildRequires this package.
Comment 14 errata-xmlrpc 2023-05-03 14:06:15 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.20.1

Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100
Comment 15 Product Security DevOps Team 2023-05-03 18:44:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41852