Attacker Value
Low
(1 user assessed)
Exploitability
Very Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
5

CVE-2022-42889

Disclosure Date: October 13, 2022
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Add Assessment

3
Ratings
Technical Analysis

Rapid7 has a blog on this vuln with a particularly apt title. On the surface, the hyped-up internet chatter comparing this to Log4Shell might be justifiable, since we’re talking about an open-source library vuln, but practically speaking, it will be rare for real-world applications to be remotely exploitable out of the box. We’re seeing reports of “exploitation” in the wild, but the upshot of those reports so far seems to be that opportunists are hurling clumsy exploits at the internet without actually finding any vulnerable code paths. There’s a trees falling in the forest metaphor somewhere in here.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • apache,
  • juniper,
  • netapp

Products

  • bluexp -,
  • commons text,
  • security threat response manager,
  • security threat response manager 7.5.0

References

Exploit
PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

Additional Info

Technical Analysis

Description and technical analysis

CVE-2022-42889 is a code execution vulnerability in Apache Commons Text that came to light on the Apache dev list on October 13, 2022. Originally discovered by Alvaro Munoz, the vulnerability exists in the StringSubstitutor interpolator object that is created by the StringSubstitutor.createInterpolator() method and will allow for string lookups as defined in the StringLookupFactory. Using the “script”, “dns”, or “url” lookups would allow an attacker to use a crafted string to execute arbitrary scripts when passed to the interpolator object.

CVE-2022-42889 carries a (probably unwarranted) CVSS score of 9.8. There are multiple public proof-of-concept exploits available, but there has been no known exploitation in the wild as of October 17, 2022. Real-world exploitability is likely to be low.

Affected products

CVE-2022-42889 affects Apache Commons Text versions 1.5 through 1.9. It has been patched as of Commons Text version 1.10.

Since Commons Text is a library, the specific usage of the interpolator in an application will dictate the impact of this vulnerability.
As an example:

StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
String pocstring = "${script:javascript:java.lang.Runtime.getRuntime().exec("echo 'pwnd'")}";
String pwn = interpolator.replace(pocstring);

This specific code fragment is unlikely to exist in production applications, but the concern is that in some applications, the pocstring variable may be attacker-controllable.
The StringSubstitutor interpolator does not seem to be in extremely wide use, and observed usage does not appear to be remotely exploitable in general.

We originally indicated that 5 JDK versions are not impacted due to the Nashorn Javascript engine being deprecated; however, other engines can be leveraged as well. An updated PoC came out that uses the JEXL engine as an exploit path. Here’s the payload:

String payload = "${script:JEXL:''.getClass().forName('java.lang.Runtime').getRuntime().exec('touch /tmp/jexlworks')}";

If JEXL is present, the code executes successfully.

Guidance

If you are directly using Commons Text, the recommended mitigation is to upgrade to v 1.10.0.
Since this is a vulnerability in a widely-used library, applications that bundle Commons Text will issue patches and mitigating those vulnerabilities will mean patching those applications individually.