CVE-2022-42889. Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults.

Brocade Fabric OS

2 more products

21225

29 August 2023

20 October 2022

CLOSED

LOW

Base Score: 9.8 - CRITICAL - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

N/A

CVE-2022-42889

Summary

Security Advisory ID : BSA-2022-2096

Component : Apache Commons Text

Revision : 1.1

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.

More information at: https://blogs.apache.org/security/entry/cve-2022-42889

Products Confirmed Not Affected

  • Brocade Fabric OS
  • Brocade Active Support Connectivity Gateway (ASC-G)
  • Brocade SANnav

Notes

Brocade SANnav versions v2.2.0 and later contain a third-party component, which itself contains a version of the Apache commons-text component prior to 1.10.0. The Apache commons-text component is not directly accessed. Brocade SANnav does not expose or provide access to any Apache commons-text API to any external users. Security scans may detect the Apache commons-text component, however, Brocade SANnav is not exploitable.

Revision History

Version

Change

Date

1.0

Initial Publication

Oct 20, 2022

1.1

Updated Note to show v2.2.0 and later

August 29, 2023