Bug 2135435 (CVE-2022-42889) - CVE-2022-42889 apache-commons-text: variable interpolation RCE
Summary: CVE-2022-42889 apache-commons-text: variable interpolation RCE
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-42889
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2135924 2135926 2150122 2159406
Blocks: 2135067
TreeView+ depends on / blocked
 
Reported: 2022-10-17 16:23 UTC by Chess Hazlett
Modified: 2024-02-12 10:43 UTC (History)
117 users (show)

Fixed In Version: commons-text 1.10.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.
Clone Of:
Environment:
Last Closed: 2022-12-10 20:33:05 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:8652 0 None None None 2022-11-28 14:40:23 UTC
Red Hat Product Errata RHSA-2022:8876 0 None None None 2022-12-07 08:20:12 UTC
Red Hat Product Errata RHSA-2022:8902 0 None None None 2022-12-08 13:25:49 UTC
Red Hat Product Errata RHSA-2022:9023 0 None None None 2022-12-14 13:15:27 UTC
Red Hat Product Errata RHSA-2023:0261 0 None None None 2023-01-18 14:53:18 UTC
Red Hat Product Errata RHSA-2023:0469 0 None None None 2023-01-26 09:42:57 UTC
Red Hat Product Errata RHSA-2023:1006 0 None None None 2023-03-08 14:55:12 UTC
Red Hat Product Errata RHSA-2023:1524 0 None None None 2023-04-05 23:27:35 UTC
Red Hat Product Errata RHSA-2023:1655 0 None None None 2023-04-12 11:58:55 UTC
Red Hat Product Errata RHSA-2023:1866 0 None None None 2023-04-26 05:32:55 UTC
Red Hat Product Errata RHSA-2023:2097 0 None None None 2023-05-03 13:20:03 UTC
Red Hat Product Errata RHSA-2023:2135 0 None None None 2023-05-04 15:57:11 UTC
Red Hat Product Errata RHSA-2023:3195 0 None None None 2023-05-17 16:19:34 UTC
Red Hat Product Errata RHSA-2023:3198 0 None None None 2023-05-17 17:50:47 UTC
Red Hat Product Errata RHSA-2023:3299 0 None None None 2023-05-24 17:10:55 UTC
Red Hat Product Errata RHSA-2023:6179 0 None None None 2023-10-30 12:35:06 UTC
Red Hat Product Errata RHSA-2023:7288 0 None None None 2023-11-15 19:24:38 UTC
Red Hat Product Errata RHSA-2024:0775 0 None None None 2024-02-12 10:43:43 UTC
Red Hat Product Errata RHSA-2024:0776 0 None None None 2024-02-12 10:24:06 UTC
Red Hat Product Errata RHSA-2024:0777 0 None None None 2024-02-12 10:25:15 UTC
Red Hat Product Errata RHSA-2024:0778 0 None None None 2024-02-12 10:36:44 UTC

Description Chess Hazlett 2022-10-17 16:23:22 UTC 
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
Comment 11 Rodrigo A B Freire 2022-10-18 10:46:47 UTC 
Statement: 

eap-7, eapxp-4, camel-k, camel-q have maven references to the affected package but does not ship it nor use the code
Comment 13 Rodrigo A B Freire 2022-10-18 11:17:49 UTC 
After further evaluation, we found that EAP has apache-commons-text dependency explicitly declared under exclusions :

https://github.com/jbossas/jboss-eap7/blob/EAP_7.4.7.CR3-dev/pom.xml

Hence marking EAP as not affected and closing the EAP tracker.
Comment 18 Chess Hazlett 2022-10-18 19:30:48 UTC 
adding openshift-4 and satellite-6 affected/fix
Comment 25 ir. Jan Gerrit Kootstra 2022-10-20 17:51:08 UTC 
Is there any mitigation for this vulnerability?
Comment 36 Ken Fowler 2022-11-01 12:57:51 UTC 
Any updates planned for Satellite Server 6 to fix this vulnerability?
Comment 37 boris.m 2022-11-06 11:57:44 UTC 
business-central.war/WEB-INF/lib/commons-text-1.9.jar exists in Redhat process automation service. Any updates planned for RHPAM 7.13.1?
Comment 45 errata-xmlrpc 2022-11-28 14:40:16 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11.1

Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652
Comment 48 errata-xmlrpc 2022-12-07 08:20:08 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2022:8876 https://access.redhat.com/errata/RHSA-2022:8876
Comment 49 errata-xmlrpc 2022-12-08 13:25:45 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.18.3

Via RHSA-2022:8902 https://access.redhat.com/errata/RHSA-2022:8902
Comment 52 Product Security DevOps Team 2022-12-10 20:32:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-42889
Comment 53 errata-xmlrpc 2022-12-14 13:15:19 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.5

Via RHSA-2022:9023 https://access.redhat.com/errata/RHSA-2022:9023
Comment 54 jnoh 2022-12-30 17:09:20 UTC 
Could you provide status updates on Red Hat Satellite 6  **candlepin**?

Thank you!
Comment 55 errata-xmlrpc 2023-01-18 14:53:13 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.12 for RHEL 8

Via RHSA-2023:0261 https://access.redhat.com/errata/RHSA-2023:0261
Comment 57 errata-xmlrpc 2023-01-26 09:42:51 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Q 2.13.2

Via RHSA-2023:0469 https://access.redhat.com/errata/RHSA-2023:0469
Comment 58 errata-xmlrpc 2023-03-08 14:55:05 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.7.7

Via RHSA-2023:1006 https://access.redhat.com/errata/RHSA-2023:1006
Comment 61 errata-xmlrpc 2023-04-05 23:27:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2023:1524 https://access.redhat.com/errata/RHSA-2023:1524
Comment 63 errata-xmlrpc 2023-04-12 11:58:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:1655 https://access.redhat.com/errata/RHSA-2023:1655
Comment 69 errata-xmlrpc 2023-04-26 05:32:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:1866 https://access.redhat.com/errata/RHSA-2023:1866
Comment 70 errata-xmlrpc 2023-05-03 13:19:55 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097
Comment 71 errata-xmlrpc 2023-05-04 15:57:06 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2023:2135 https://access.redhat.com/errata/RHSA-2023:2135
Comment 73 errata-xmlrpc 2023-05-17 16:19:27 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.12

Via RHSA-2023:3195 https://access.redhat.com/errata/RHSA-2023:3195
Comment 74 errata-xmlrpc 2023-05-17 17:50:41 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3198 https://access.redhat.com/errata/RHSA-2023:3198
Comment 76 errata-xmlrpc 2023-05-24 17:10:48 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2023:3299 https://access.redhat.com/errata/RHSA-2023:3299
Comment 78 errata-xmlrpc 2023-10-30 12:34:59 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2023:6179 https://access.redhat.com/errata/RHSA-2023:6179
Comment 79 errata-xmlrpc 2023-11-15 19:24:30 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.14

Via RHSA-2023:7288 https://access.redhat.com/errata/RHSA-2023:7288
Comment 83 errata-xmlrpc 2024-02-12 10:23:56 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2024:0776 https://access.redhat.com/errata/RHSA-2024:0776
Comment 84 errata-xmlrpc 2024-02-12 10:25:07 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.14

Via RHSA-2024:0777 https://access.redhat.com/errata/RHSA-2024:0777
Comment 85 errata-xmlrpc 2024-02-12 10:36:37 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.12

Via RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778
Comment 86 errata-xmlrpc 2024-02-12 10:43:36 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2024:0775 https://access.redhat.com/errata/RHSA-2024:0775
Note You need to log in before you can comment on or make changes to this bug.