--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Apache Commons Text Vulnerability' version: '1.0' number: '2022-072' original_date: 'October 13, 2022' date: 'October 19, 2022' --- _History:_ * _19/10/2022 --- v1.0 -- Initial publication_ # Summary A vulnerability, tracked as **CVE-2022-42889** with a CVSS score of **9.8** was found in _Apache Commons Text_ packages in versions 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers [1]. # Technical Details Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is `${prefix:name}` , where `prefix` is used to locate an instance of **org.apache.commons.text.lookup.StringLookup** that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - `script` - execute expressions using the JVM script execution engine (`javax.script`) - `dns` - resolve dns records - `url` - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used [2, 3]. # Affected Products * Apache Commons Text version 1.5 to 1.9 # Recommendations CERT-EU recommends upgrading to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. If the setting has to be ON, text input should be accepted from trusted sources only. The flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly [4]. # References [1] [2] [3] [4]