CVE-2022-42889¶
WSO2 Products impacted: no
Customers actions required: yes
REPORTED VULNERABILITY¶
A new reported vulnerability CVE-2022-42889123 (Text4Shell/Act4Shell) exists in the StringSubstitutor interpolator object of Apache Common Text library (org.apache.commons:commons-text). An interpolator is created by the StringSubstitutor.createInterpolator() method and will allow for string lookups as defined in the StringLookupFactory4. This can be used by passing a string ${prefix:name} where the prefix is one of below mentioned lookup strings.
script- execute expressions using the JVM script execution engine (javascript.js)dns- performing dns resolutionurl- call to the entered url including remote servers (an inline script to execute)
WSO2 JUSTIFICATION¶
WSO2 products use Apache Commons Text. However, In order to be vulnerable, the application must meet all following pre conditions:
- StringSubstitutor class should be invoked with variable interpolation5 (
StringSubstitutor.createInterpolator()). - User inputs should be passed into the StringSubstitutor class.
The WSO2 team has carried out the investigation and relevant testing against the identified vulnerability. According to that, the above pre conditions are not met in WSO2 products. Hence WSO2 products are not vulnerable to identified vulnerability and cannot be exploited using it.
However we are actively working on upgrading the vulnerable dependency version to non-vulnerable version to reduce the unnecessary noise made by the Software Composition Analysis scanners. Customers may apply the security update once it is available.
REFERENCES¶
-
https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/ ↩
-
https://www.zscaler.com/blogs/security-research/security-advisory-apache-commons-text-remote-code-execution-vulnerability ↩
-
https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/lookup/StringLookupFactory.html ↩