This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-text.git
The following commit(s) were added to refs/heads/master by this push:
new 2fb0c0cd Update security page
2fb0c0cd is described below
commit 2fb0c0cde77277cbada3fad188afe2dd53af4339
Author: Gary Gregory <[email protected]>
AuthorDate: Tue Oct 18 22:14:58 2022 -0400
Update security page
---
src/site/xdoc/security.xml | 84 ++++++++++++++++++++++++++++++++++++++++------
1 file changed, 74 insertions(+), 10 deletions(-)
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index e700ddc5..e7ba25ea 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -30,8 +30,10 @@
<p>
If you need help on building this component or other help on
following the instructions to
- mitigate the known vulnerabilities listed here, please send
your questions to the public
- <a href="mail-lists.html">user mailing list</a>.
+ mitigate the
+ known vulnerabilities listed here, please send your questions
to the public
+ <a href="mail-lists.html">user mailing list</a>
+ .
</p>
<p>
@@ -40,14 +42,76 @@
Team. Thank you.
</p>
- <subsection name="Fixed in Apache Commons Text 1.10.0">
- <ul>
- <li>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-42889">CVE-2022-42889</a>
- Variable interpolation can cause arbitrary code
execution.
- </li>
- </ul>
-
+ <subsection name="CVE-2022-42889 prior to 1.10.0, RCE when applied
to untrusted input">
+ <p>
+ On 2022-10-13, the Apache Commons Text team disclosed
+ <a
href="https://www.cve.org/CVERecord?id=CVE-2022-42889">CVE-2022-42889</a>
+ . Key takeaways:
+ <ul>
+ <li>
+ If you rely on software that uses a version of
commons-text prior to 1.10.0, you are likely
+ still not vulnerable: only if this software uses
the
+ <code>StringSubstitutor</code>
+ API without properly sanitizing any untrusted
input.
+ </li>
+ <li>
+ If your own software uses commons-text,
double-check whether it uses the
+ <code>StringSubstitutor</code>
+ API without properly sanitizing any untrusted
input. If so, an update to 1.10.0 could be a
+ quick workaround, but the recommended solution is
to also properly validate and sanitize any
+ untrusted input.
+ </li>
+ </ul>
+ </p>
+ <p>
+ Apache Commons Text is a low-level library for performing
various text operations, such as escaping, calculating string
+ differences, and substituting placeholders in the text
with values looked up through interpolators.
+ When using the string substitution feature, some of the
available interpolators can trigger network
+ access or code execution. This is intended, but it also
means an application that includes user
+ input in the string passed to the substitution without
properly sanitizing it would allow an
+ attacker to trigger those interpolators.
+ </p>
+ <p>For that reason the Apache Commons Text team have decided
to update the configuration to be more
+ "secure by default", so that the impact of a failure to
validate inputs is mitigated and will not
+ give an attacker access to these interpolators. However,
it is still recommended that users treat
+ untrusted input with care.
+ </p>
+ <p>
+ We're not currently aware of any applications that pass
untrusted input to the substitutor and thus would have been
+ impacted by this problem prior to Apache Commons Text
1.10.0.
+ </p>
+ <p>
+ This issue is different from
+ <a
href="https://logging.apache.org/log4j/2.x/security.html#log4j-2.15.0">Log4Shell
(CVE-2021-44228)</a>
+ because in Log4Shell, string interpolation was possible
from the log message body, which commonly
+ contains untrusted input. In the Apache Common Text issue,
the relevant method is explicitly
+ intended and clearly documented to perform string
interpolation, so it is much less likely that
+ applications would inadvertently pass in untrusted input
without proper validation.
+ </p>
+ <p>
+ Credit: this issue was reported independently by Ruilin
and by
+ <a href="https://github.com/pwntester">@pwntester (Alvaro
Muñoz)</a>
+ of the
+ <a href="https://securitylab.github.com">GitHub Security
Lab team</a>
+ . Thank you!
+ </p>
+ <p>
+ References:
+ <ul>
+ <li>
+ <a
href="https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om">Announcement
on [email protected]</a>
+ </li>
+ <li>
+ <a
href="https://www.openwall.com/lists/oss-security/2022/10/13/4">Announcement on
oss-security</a>
+ </li>
+ <li>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889">Advisory
on cve.org</a>
+ </li>
+ <li>
+ <a
href="https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/">GHSL
advisory</a>
+ </li>
+ </ul>
+ </p>
</subsection>
</section>
</body>