Bear in mind the Log4Shell bug that confirmed up in Apache Log4j late in 2021?
Log4j is likely one of the Apache Software program Basis’s many software program initiatives (greater than 350 at present rely), and it’s a programming library that Java coders can use to handle logfiles in their very own merchandise.
Logfiles are an important a part of growth, debugging, file conserving, program monitoring, and, in lots of trade sectors, of regulatory compliance.
Sadly, not all textual content you logged – even when it was despatched in by an exterior consumer, for instance as a username in a login type – was handled actually.
If you happen to gave your title as MYNAME
, it could be logged identical to that, because the textual content string MYNAME
, however any textual content wrapped in ${...}
characters was handled as a command for the logger to run, which may trigger what’s often called RCE, quick for distant code execution.
Just lately, we noticed an analogous type of bug known as Follina, which affected Microsoft Home windows.
There, the troublesome characters had been $(...)
, with spherical brackets changing squiggly ones, however with the identical type of side-effect.
Within the Follina bug, a URL that contained a listing title with the string SOMETEXT
in it could be handled simply because it was written, however any textual content wrapped in $(...)
could be run as a Powershell command, as soon as once more inflicting a threat of distant code execution.
Extra bother with brackets
Nicely, the bug CVE-2022-33980, which doesn’t have a catchy title but, is a really comparable type of blunder within the Apache Commons Configuration toolkit.
The title’s fairly a mouthful: Apache Commons is one other Apache venture that gives quite a few Java utilities (sub-projects, in case you like) that present a variety of useful programming toolkits.
One in all these is Commons Configuration, which lets Java apps work with configuration information of a variety of various codecs, together with XML, INI, plist, and lots of extra.
Because the venture itself says, “the Commons Configuration software program library supplies a generic configuration interface which allows a Java software to learn configuration information from quite a lot of sources.”
Sadly, this software program treats textual content wrapped in ${...}
specifically, too.
As an alternative of utilizing the textual content actually, the next particular “reprocessing” takes place, referred to moderately confusingly within the jargon as interpolation:
$(script:STRING)
runsSTRING
as a Java script and makes use of the output of that code.$(dns:STRING)
appears upSTRING
utilizing DNS.$(url:STRING)
reads the URLSTRING
and retrieves the textual content to make use of from there.
In different phrases, booby-trapped configuration information may, in concept, be used to run malicious code, leak information by way of DNS lookups, or fetch configuration settings from a rogue web site.
What to do?
In accordance with the Commons Configuration staff, this “interpolation” bug was launched in model 2.4 (launched in late 2018) and patched in model 2.8.0 (launched 2022-07-05, which is Tuesday this week).
All updates going again to model 2.2 in 2017 are listed as “minor releases”, so we’re assuming that updating from any of the weak variations 2.4, 2.5, 2.6 or 2.7 to the most recent model should be uncontroversial.
So, when you’ve got any Java software program that makes use of the Apache Commons Configuration library, replace as quickly as you may!
Oh, and in case you’re a programmer…
…whether or not you name it “command substitution”, “reside rewriting”, “reprocessing” or “interpolation”, use it sparingly, and don’t flip it on by default for information you haven’t already verified which you can belief.
Am I weak?
A fast solution to search for the presence of a possibly-vulnerable Commons Configuration library on a pc is to seek for filenames of the shape commons-configuration2-*.jar
, the place *
is a wildcard denoting “any textual content allowed right here”.
On Linux/Unix, strive:
$ discover / -type f -name 'commons-configuration2-*.jar'
On Home windows, strive:
> DIR C:commons-configuration2-*.jar /S
Susceptible variations have the names:
commons-configuration2-2.4.jar commons-configuration2-2.5.jar commons-configuration2-2.6.jar commons-configuration2-2.7.jar
Earlier or later variations don’t have the bug.
The most recent, patched, model, is:
commons-configuration2-2.8.0.jar
If you happen to discover information with names like this:
commons-configuration-1.9.jar
…these are the previous (model 1) flavour of the library, which doesn’t have this bug.
Notice. The title Apache refers back to the total Software program Basis and all its initiatives. It’s not the title of a webserver, in the identical manner that Microsoft isn’t the title of an working system. So, though web sites based mostly on the Apache Webserver, also called httpd, are also known as “operating Apache”, this bug doesn’t apply to the net server, which is written in C, not in Java.