Bug 1201279 (CVE-2022-33980)

Summary: VUL-0: CVE-2022-33980: apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults
Product: [Novell Products] SUSE Security Incidents Reporter: Hu <cathy.hu>
Component: IncidentsAssignee: Fridrich Strba <fstrba>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/336326/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Hu 2022-07-07 09:11:00 UTC
CVE-2022-33980

Apache Commons Configuration performs variable interpolation, allowing
properties to be dynamically evaluated and expanded. The standard format for
interpolation is "${prefix:name}", where "prefix" is used to locate an instance
of org.apache.commons.configuration2.interpol.Lookup that performs the
interpolation. Starting with version 2.4 and continuing through 2.7, the set of
default Lookup instances included interpolators that could result in arbitrary
code execution or contact with remote servers. These lookups are: - "script" -
execute expressions using the JVM script execution engine (javax.script) - "dns"
- resolve dns records - "url" - load values from urls, including from remote
servers Applications using the interpolation defaults in the affected versions
may be vulnerable to remote code execution or unintentional contact with remote
servers if untrusted configuration values are used. Users are recommended to
upgrade to Apache Commons Configuration 2.8.0, which disables the problematic
interpolators by default.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33980
https://seclists.org/oss-sec/2022/q3/29
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33980
https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s
Comment 1 Hu 2022-07-07 09:11:32 UTC
Closing, not Affected:
- SUSE:SLE-15-SP2:Update/apache-commons-configuration  1.10
- openSUSE:Factory/apache-commons-configuration        1.10