Security18.10.2022

Major Apache Commons Text vulnerability discovered

By

A dangerous vulnerability related to reckless string interpolation behaviour has been found in the Java source code library Apache Commons Text, Sophos reports.

The flaw is tracked as CVE-2022-42889 and affects Apache Commons Text versions released before 1.10.0, allowing remote code execution when applied to untrusted input due to insecure interpolation defaults.

The vulnerability affects the StringSubstitutor component of the Common Text Toolkit. The component allows input data to be rewritten once an interpolator has been created.

Sophos provided an example of the kind of data that can be derived directly from the source code StingSubstitutor.java file.

Programming function   Example
--------------------   ----------------------------------
Base64 Decoder:        ${base64Decoder:SGVsbG9Xb3JsZCE=}
Base64 Encoder:        ${base64Encoder:HelloWorld!}
Java Constant:         ${const:java.awt.event.KeyEvent.VK_ESCAPE}
Date:                  ${date:yyyy-MM-dd}  
DNS:                   ${dns:address|apache.org}
Environment Variable:  ${env:USERNAME}
File Content:          ${file:UTF-8:src/test/resources/document.properties}
Java:                  ${java:version} 
Script:                ${script:javascript:3 + 4} 
URL Content (HTTP):    ${url:UTF-8:http://www.apache.org}
URL Content (HTTPS):   ${url:UTF-8:https://www.apache.org}

The DNS, Script, and URL functions are dangerous as they could lead to data from outside a trusted network which is then processed or logged on a business logic server within your network.

For the DNS function, attackers can use a domain name they own and control. The lookup will then be terminated at a DNS of their choosing.

Sophos explained that the URL function looks up a server name, connects to it using HTTP or HTTPS, and then uses what’s sent back instead of the ${…} string.

“The danger posed by this behaviour depends on what the replacement string is used for,” it added.

The script function is potentially the most dangerous as it allows an attacker to run a command of their choosing. However, Sophos noted that it could only get the function to work on older versions of Java.

To protect networks from vulnerability, Sophos recommends taking the following steps:

  • Update to Commons Text 1.10.0;
  • Sanitise your inputs; and
  • Search your network for Commons Text software that you didn’t know you had.

Now read: Microsoft 365 uses weak encryption that exposes emails to snooping

Don't miss the latest news
Add Google Preferred Source Follow on Google News
Show comments
Forum discussion

Latest news

More news

Trending news

Poll

If you wanted to buy a second-hand vehicle, where would you begin your search?

View Results

Loading ... Loading ...
Sign up to the MyBroadband newsletter