Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CVE-2022-42889 - Apache Commons Text prior to 1.10.0 allows RCE
See original GitHub issueDescription
Description
- Package Manager: maven
- Vulnerable module: org.liquibase:liquibase-core
- Introduced through repackaging of commons-text transitive dependency as part of org.liquibase:liquibase-core
Detailed paths
liquibase.versiondefined as 4.16.1 in pom.xml
Overview
Repackaged transitive dependency org.apache.commons:commons-text included by org.liquibase:liquibase-core is vulnerable to CVE-2022-42889.
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - “script” - execute expressions using the JVM script execution engine (javax.script) - “dns” - resolve dns records - “url” - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.
Remediation
Upgrade org.liquibase:liquibase-core to version 4.17.1 or higher.
References
NVD Entry Keycloak Defined Liquibase Version Liquibase Release Including Fixed Dependency Liquibase Commit Addressing Dependency
Issue Analytics
- State:
- Created 9 months ago
- Comments:6 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
If I’m reading right, the first release of quarkus that includes the liquibase upgrade is 2.15.0 (https://github.com/quarkusio/quarkus/commit/387578a41f0f58bd70c33f64bc6ba23d69af937e)
Given that we seem to have a way to work around this with @pedroigor 's suggestion, I think we can wait until our quarkus is upgraded to 2.15.0 or higher and then update liquibase accordingly.
@pedroigor - The
commons-textclasses are actually repackaged within the liquibase-core JAR itself, so maven exclusions won’t help here unfortunately.Ex:
EDIT:
Actually what I said is incorrect for what Keycloak is doing - this is an artifact from a different process / older version of liquibase. maven exclusion should work for Keycloak as of now.