Apache commons text library version (Starting from 1.5 to below 1.10) are affected by CVE-2022-42889. Described on Apache website:
“Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - “script” - execute expressions using the JVM script execution engine (javax.script) - “dns” - resolve dns records - “url” - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.”
https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
BigFix Inventory helps you to discover if the affected jars are deployed on your environment.
We have created 2 custom signatures to detect them:
• Signature which detects all the versions of commons-text jar, it will help to identify the library where it is deployed and used: https://bigfix.me/signature/details/1259
• Signature which detects versions of commons-text jar affected by the CVE (mentioned in the beginning of the article) it will help to identify the library where it is deployed and used and affected by the CVE: https://bigfix.me/signature/details/1260
Using custom signatures for detecting commons-text jars:
1. BigFix Inventory search for all commons-text-<version>.jar files
For generic audit, you can use a custom signature that searches on BigFix endpoints for JAR files that contain Apache commons text file with names that fill pattern commons-text-<version>.jar.
After scanning your endpoints with this signature, BigFix Inventory will provide you with a report that contains information about all Apache common text jar files, Regular component version displayed is 0.any_version and detailed version contains information about current patch level of this library
2. BigFix Inventory search for only affected commons-text-<version>.jar files
For a detailed auditing of CVE affected Apache commons-text installations, BigFix Inventory provides an additional signature that searches for files with the patterns commons-text-*.jar and collects information about all occurrences of affected versions. Regular component version displayed after discovery is 0.any_version and detailed version contains information about current patch level of this library
The process for using both of custom signatures is the same:
- Download the signature file from URL provided under every type of discovery described.
- Login to BigFix Inventory.
- Go to Management → Catalog Customization.
- Import the file with the custom signature.
- Run an import process.
- Make sure that the catalog was propagated to the endpoints (automatically created action for propagation the endpoint executed on all applicable endpoints).
- Run a software scan on the endpoints.
- Ensure the Upload Software Scan Result fixlet is running.
- Run an import process to import the scan results.
- Verify the results on the reports.
Please note that results of scan are limited to jars which are stored directly in the file system, in case they are inside some other archive, they won’t be detected
Raghavendra,
BigFix Inventory Team