Apache Common Text is used for advance text handling functions such as escaping special characters and the similarity of strings (basis on Cosine, Hamming, Longest Commons Subsequence distance, etc.). The difference between strings, text lookup, etc. A code execution vulnerability( CVE-2022-42889 )is in one of the text lookup modules of the Common Text library and identifying as CVE-2022-42889. A reliable vulnerability management tool can detect these.
However, A patch management software is required to patch the vulnerabilities.
Vulnerability(CVE-2022-42889) in Depth:
A module of org.apache.commons.text.lookup.StringLookupFactory Class called StringSubstitutor, used for constructing complex strings, has a flaw.
Example of StringSubstitutor object:
StringSubstitutor.createInterpolator().replace("... ${base64Decoder:UHJldmVudCBDeWJlcmF0dGFja3MgdXNpbmcgU2FuZXJOb3cg} ..."));The above example decodes the base64 encoded value and provides the output “Prevent Cyberattacks using SanerNow.”
Like this, multiple functionalities imposed by StringSubstitutor, as mentioned in the Common Text User Guide.
final StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
final String text = interpolator.replace(
"Base64 Decoder: ${base64Decoder:SGVsbG9Xb3JsZCE=}\n" +
"Base64 Encoder: ${base64Encoder:HelloWorld!}\n" +
"Java Constant: ${const:java.awt.event.KeyEvent.VK_ESCAPE}\n" +
"Date: ${date:yyyy-MM-dd}\n" +
"Environment Variable: ${env:USERNAME}\n" +
"DNS: ${dns:address|apache.org}\n" +
"File Content: ${file:UTF-8:src/test/resources/document.properties}\n" +
"Java: ${java:version}\n" +
"Script: ${script:javascript:3 + 4}\n" +
"URL Content (HTTP): ${url:UTF-8:http://www.apache.org}\n" +
"URL Content (HTTPS): ${url:UTF-8:https://www.apache.org}\n" +
"Localhost: ${localhost:canonical-name}\n" +
"System Property: ${sys:user.dir}\n" +
"URL Decoder: ${urlDecoder:Hello%20World%21}\n" +
"URL Encoder: ${urlEncoder:Hello World!}\n" +
);Among the above functionalities, URL, Script, and DNS are some of the critical functions. These use cases can allow attackers to contact the C2C server or run commands in the victim server.
DNS:
DNS lookup can allow the hacker to get the private IP address to get details of an internal network.
lookupMap.put("dns", StringLookupFactory.INSTANCE.dnsStringLookup());
StringLookup variableResolver = StringLookupFactory.INSTANCE.interpolatorStringLookup(lookupMap, null, false);
new StringSubstitutor(variableResolver).replace("... ${dns:address|sanernow.com} ...");The above example will provide the internal IP address of sanernow.com
SCRIPT:
Malicious users can run commands in the vulnerable machine using Script functionality.
lookupMap.put("script", StringLookupFactory.INSTANCE.scriptStringLookup());
StringLookup variableResolver = StringLookupFactory.INSTANCE.interpolatorStringLookup(lookupMap, null, false);
StringLookupFactory.INSTANCE.scriptStringLookup().lookup("javascript:5 - 4");The above example converts “javascript:5 – 4” to 1.
Is CVE-2022-42889 critical?
The issue is equivalent to Apache’s log4j vulnerability. But, the Common Text module is not in use by most of the developers for input sanitization, as Apache’s logger module is in use. Compromise is possible only if a developer uses the latter module.
Impact:
Successful exploitation of the vulnerability will allow remote attackers to execute arbitrary code.
Solution:
- Update Apache Common Text to 1.10.0
SanerNow VM detects this vulnerability. Use SanerNow and keep your systems updated and secure.