1. Summary
| Vulnerability Name | Apache Commons Configuration Remote Code Execution Vulnerability (CVE-2022-33980) |
|---|---|
| Release Date | July 7, 2022 |
| Component Name | Apache Commons Configuration |
| Affected Versions | 2.4 ≤ Apache Commons Configuration ≤ 2.7 |
| Vulnerability Type | Remote Code Execution Vulnerability |
| Severity | CVSS v3 Base Score 9.8 (Critical) |
| Exploitability | Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None |
| Impact | Confidentiality Impact: High Integrity Impact: High Availability Impact: High |
2. About CVE-2022-33980
2.1 Introduction
Apache Commons Configuration is a java library that simplifies managing application configuration properties. It allows the collection of properties from different configuration sources such as properties files, XML files, Java System properties, and Environment variables.
2.2 Summary
Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are:
- "script" - execute expressions using the JVM script execution engine (javax.script)
- "dns" - resolve dns records
- "url" - load values from urls, including from remote servers
Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.
Note: This vulnerability is currently undergoing reanalysis.
3. Affected Versions
2.4 ≤ Apache Commons Configuration ≤ 2.7
4. Solutions
4.1 Remediation Solutions
4.1.1 Apache Solution
Apache has released an updated version that fixes the vulnerability. Affected users can download it from the following link: https://commons.apache.org/proper/commons-configuration/download_configuration.cgi
5. Timeline
On July 7, 2022, Sangfor FarSight Labs received a notice about the Apache Commons Configuration remote code execution vulnerability (CVE-2022-33980).
On July 7, 2022, Sangfor FarSight Labs released a vulnerability alert.
6. Reference
https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s
https://nvd.nist.gov/vuln/detail/CVE-2022-33980
https://commons.apache.org/proper/commons-configuration/download_configuration.cgi
7. Learn More
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
