October 17, 2022 By Lindsey O’Donnell-Welch
The Apache Software Foundation (ASF) has released a fix for a critical-severity vulnerability in certain versions of the Apache Commons Text library that could enable remote code execution. However, details about the severity and scope of the vulnerability are still emerging, including the detection of any examples of real-world applications using vulnerable configurations of the impacted library.
The flaw (CVE-2022-42889) exists in Apache Commons Text, a library released in 2017 - and a component of the broader Apache Commons project that provides a number of Java utility programming toolkits - that focuses on algorithms enabling a variety of functionalities around strings. The issue stems from specific ways that the library performs a process called variable interpolation, which is the evaluation of the properties of strings that contain placeholders in order for the placeholders to be replaced with their corresponding values. In order to do so, Apache Commons Text treats text wrapped in "${prefix:name}", where the "prefix" locates an instance of org.apache.commons.text.lookup.StringLookup, which then performs the interpolation. However, in certain versions of the library that date back to 2018, a number of default lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers, according to ASF in an advisory last week.
