{"id":465053,"date":"2022-10-18T12:24:11","date_gmt":"2022-10-18T10:24:11","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=465053"},"modified":"2022-10-18T12:29:05","modified_gmt":"2022-10-18T10:29:05","slug":"major-apache-commons-text-vulnerability-discovered","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/465053-major-apache-commons-text-vulnerability-discovered.html","title":{"rendered":"Major Apache Commons Text vulnerability discovered"},"content":{"rendered":"

A dangerous vulnerability related to reckless string interpolation behaviour has been found in the Java source code library Apache Commons Text, Sophos reports<\/a><\/strong>.<\/p>\n

The flaw is tracked as CVE-2022-42889 and affects Apache Commons Text versions released before 1.10.0, allowing remote code execution when applied to untrusted input due to insecure interpolation defaults.<\/p>\n

The vulnerability affects the StringSubstitutor component of the Common Text Toolkit. The component allows input data to be rewritten once an interpolator has been created.<\/p>\n

Sophos provided an example of the kind of data that can be derived directly from the source code StingSubstitutor.java file.<\/p>\n

\n
Programming function   Example\r\n--------------------   ----------------------------------\r\nBase64 Decoder:        ${base64Decoder:SGVsbG9Xb3JsZCE=}\r\nBase64 Encoder:        ${base64Encoder:HelloWorld!}\r\nJava Constant:         ${const:java.awt.event.KeyEvent.VK_ESCAPE}\r\nDate:                  ${date:yyyy-MM-dd}  \r\nDNS:                   ${dns:address|apache.org}\r\nEnvironment Variable:  ${env:USERNAME}\r\nFile Content:          ${file:UTF-8:src\/test\/resources\/document.properties}\r\nJava:                  ${java:version} \r\nScript:                ${script:javascript:3 + 4} \r\nURL Content (HTTP):    ${url:UTF-8:http:\/\/www.apache.org}\r\nURL Content (HTTPS):   ${url:UTF-8:https:\/\/www.apache.org}\r\n<\/pre>\n<\/blockquote>\n
The DNS, Script, and URL functions are dangerous as they could lead to data from outside a trusted network which is then processed or logged on a business logic server within your network.<\/p>\n
For the DNS function, attackers can use a domain name they own and control. The lookup will then be terminated at a DNS of their choosing.<\/p>\n
Sophos explained that the URL function looks up a server name, connects to it using HTTP or HTTPS, and then uses what’s sent back instead of the ${…} string.<\/p>\n
“The danger posed by this behaviour depends on what the replacement string is used for,” it added.<\/p>\n
The script function is potentially the most dangerous as it allows an attacker to run a command of their choosing. However, Sophos noted that it could only get the function to work on older versions of Java.<\/p>\n
To protect networks from vulnerability, Sophos recommends taking the following steps:<\/p>\n