Re: CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults

[Alan Coopersmith <alan.coopersmith () oracle com>]

On 10/13/22 05:09, Gary D. Gregory wrote:
> Severity: important
>
> Description:
>
> Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is 
> "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. 
> Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact 
> with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns 
> records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable 
> to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 
> 1.10.0, which disables the problematic interpolators by default.
>
> Mitigation:
>
> Upgrade to Apache Commons Text 1.10.0.

The advisory from the researcher who found it is at:
https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris