Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5278 Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults 21 October 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Commons Text Publisher: Apache Software Foundation Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-42889 Original Bulletin: https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om Comment: CVSS (Max): 9.8 CVE-2022-42889 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Severity: important Description: Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from = urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. Mitigation: Upgrade to Apache Commons Text 1.10.0. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY1IDockNZI30y1K9AQjnrg/9GQuS3sYcmGJDxsgQUdXKcWyHOdmg0RXv JzkWv3p7hn9mVCj+1XY2Cm1C/CcDaE5+iRHdrvGayuvxMZ//TuE8VqMXYLmvpgn+ dNpKTBZ9/tMursVp4OyQ8Cqs634+6QW3R5jINoRb4hvGdszj7CRjbAP6W9RymYIv kNeBPuir0QevgeZgoNQickU04SDirSTAKhblIwyzuaDBAAJY6CEznO5iDZouqWCM alhnXHD6n1yH99u9sGTuW6M9Oeufe0Fv0xH46OSfYKRDSphAs7Yflm8iF7tX8dtW wRV+oSH4T7QgPrIdDl7/9D/s7Mr6MXLak0WbPNbv8pjgZNpKeXvNaYayJK5mwsrJ zWLmVu/H8+PEgxjZ2E0XRhBBLwRvgNK067Ku+4cf83xdI/8SWvhNo+v4mytEOvOY aqOhjJVqpi/bTPLd3FCC4DJpGSh1/bUxMfYNtjrYx6CBkSOIPuMttTSiwuPXUMT4 dIGRg7hFYPiraBMpyJqKWnQqIDybBTSmKDn58Xc/1aV0o2pFS1NEJIWoP9+SjJxx BDSTO/0G5r/MuWhUAJbqfO9N21RoxpYybOf2WB+fBFadU9UCvNn5cTVy5kfTdBAs WLVJG7zXORW+UHpf22MpJsq8d1y10bpTQCaWJIfZi84k9Cd6zPO3/Bdhcv4g3702 Pjef7MCi5jo= =3loO -----END PGP SIGNATURE-----