-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.5278
 Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted
               input due to insecure interpolation defaults
                              21 October 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apache Commons Text
Publisher:         Apache Software Foundation
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-42889  

Original Bulletin: 
   https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om

Comment: CVSS (Max):  9.8 CVE-2022-42889 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

Severity: important

Description:

Apache Commons Text performs variable interpolation, allowing properties to be
dynamically evaluated and expanded. The standard format for interpolation is
"${prefix:name}", where "prefix" is used to locate an instance of 
org.apache.commons.text.lookup.StringLookup that performs the interpolation. 

Starting with version 1.5 and continuing through 1.9, the set of default Lookup
instances included interpolators that could result in arbitrary code execution
or contact with remote servers. These lookups are: - "script" - execute expressions
using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from =
urls, including from remote servers Applications using the interpolation defaults 
in the affected versions may be vulnerable to remote code execution or unintentional 
contact with remote servers if untrusted configuration values are used. 

Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables
the problematic interpolators by default.

Mitigation:

Upgrade to Apache Commons Text 1.10.0.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY1IDockNZI30y1K9AQjnrg/9GQuS3sYcmGJDxsgQUdXKcWyHOdmg0RXv
JzkWv3p7hn9mVCj+1XY2Cm1C/CcDaE5+iRHdrvGayuvxMZ//TuE8VqMXYLmvpgn+
dNpKTBZ9/tMursVp4OyQ8Cqs634+6QW3R5jINoRb4hvGdszj7CRjbAP6W9RymYIv
kNeBPuir0QevgeZgoNQickU04SDirSTAKhblIwyzuaDBAAJY6CEznO5iDZouqWCM
alhnXHD6n1yH99u9sGTuW6M9Oeufe0Fv0xH46OSfYKRDSphAs7Yflm8iF7tX8dtW
wRV+oSH4T7QgPrIdDl7/9D/s7Mr6MXLak0WbPNbv8pjgZNpKeXvNaYayJK5mwsrJ
zWLmVu/H8+PEgxjZ2E0XRhBBLwRvgNK067Ku+4cf83xdI/8SWvhNo+v4mytEOvOY
aqOhjJVqpi/bTPLd3FCC4DJpGSh1/bUxMfYNtjrYx6CBkSOIPuMttTSiwuPXUMT4
dIGRg7hFYPiraBMpyJqKWnQqIDybBTSmKDn58Xc/1aV0o2pFS1NEJIWoP9+SjJxx
BDSTO/0G5r/MuWhUAJbqfO9N21RoxpYybOf2WB+fBFadU9UCvNn5cTVy5kfTdBAs
WLVJG7zXORW+UHpf22MpJsq8d1y10bpTQCaWJIfZi84k9Cd6zPO3/Bdhcv4g3702
Pjef7MCi5jo=
=3loO
-----END PGP SIGNATURE-----