Bug 2105067 (CVE-2022-33980) - CVE-2022-33980 apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults
Summary: CVE-2022-33980 apache-commons-configuration: Apache Commons Configuration ins...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-33980
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2106956 2106957 2106958
Blocks: 2105068
TreeView+ depends on / blocked
 
Reported: 2022-07-07 20:11 UTC by Sage McTaggart
Modified: 2023-05-03 13:19 UTC (History)
82 users (show)

Fixed In Version: commons-configuration 2.8.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Commons Configuration's variable interpolation, which by default included several lookup actions that could permit script invocation on remote servers. This issue could allow an attacker to use one of these actions to send a request to execute arbitrary code on the server.
Clone Of:
Environment:
Last Closed: 2022-12-08 22:14:21 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6916 0 None None None 2022-10-12 07:57:32 UTC
Red Hat Product Errata RHSA-2022:8652 0 None None None 2022-11-28 14:39:57 UTC
Red Hat Product Errata RHSA-2023:2097 0 None None None 2023-05-03 13:19:26 UTC

Description Sage McTaggart 2022-07-07 20:11:26 UTC 
Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.

https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s
Comment 21 errata-xmlrpc 2022-10-12 07:57:25 UTC 
This issue has been addressed in the following products:

  AMQ Broker 7.10.1

Via RHSA-2022:6916 https://access.redhat.com/errata/RHSA-2022:6916
Comment 25 errata-xmlrpc 2022-11-28 14:39:51 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11.1

Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652
Comment 26 Product Security DevOps Team 2022-12-08 22:14:15 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-33980
Comment 27 errata-xmlrpc 2023-05-03 13:19:23 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097
Note You need to log in before you can comment on or make changes to this bug.