CVE-2022-42889 - Apache Commons Text prior to 1.10.0 allows RCE
See original GitHub issueDescription
Description
- Package Manager: maven
- Vulnerable module: org.liquibase:liquibase-core
- Introduced through repackaging of commons-text transitive dependency as part of org.liquibase:liquibase-core
Detailed paths
liquibase.version
defined as 4.16.1 in pom.xml
Overview
Repackaged transitive dependency org.apache.commons:commons-text included by org.liquibase:liquibase-core is vulnerable to CVE-2022-42889.
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - “script” - execute expressions using the JVM script execution engine (javax.script) - “dns” - resolve dns records - “url” - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.
Remediation
Upgrade org.liquibase:liquibase-core
to version 4.17.1 or higher.
References
NVD Entry Keycloak Defined Liquibase Version Liquibase Release Including Fixed Dependency Liquibase Commit Addressing Dependency
Issue Analytics
- State:
- Created 9 months ago
- Comments:6 (6 by maintainers)
Top GitHub Comments
If I’m reading right, the first release of quarkus that includes the liquibase upgrade is 2.15.0 (https://github.com/quarkusio/quarkus/commit/387578a41f0f58bd70c33f64bc6ba23d69af937e)
Given that we seem to have a way to work around this with @pedroigor 's suggestion, I think we can wait until our quarkus is upgraded to 2.15.0 or higher and then update liquibase accordingly.
@pedroigor - The
commons-text
classes are actually repackaged within the liquibase-core JAR itself, so maven exclusions won’t help here unfortunately.Ex:
EDIT:
Actually what I said is incorrect for what Keycloak is doing - this is an artifact from a different process / older version of liquibase. maven exclusion should work for Keycloak as of now.