Apache Commons Text 是一个专注于处理字符串的算法的库,提供标准JDKzi符串处理。包括对于字符串相似度,和计算字符串间距的算法。
大家以为这是下一个Log4j,结果没那么牛beer,但是依然需要打补丁。
Apache Commons Text library Flaw
这个rce错误在Apache mailing list里发现。CVE-2022-42889漏洞,在Apache Commons Text版本1.5及以上,一套默认lookup类包括interpolators插值器, 插值器允许任意(arbitrary)代码执行和远程服务器连接。攻击者可以通过恶意输入,比如DNS请求,脚本,然后这个lookup字符串可以接受并执行。
“ The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.”
插值器标准格式“${prefix:name}”,prefix 用来定位类:org.apache.commons.text.lookup.stringLookUp.这些lookups:script—用JVM脚本执行引擎执行,dns-解析dns记录,url-从url加载值。
Apache 1.10修复
最开始大家以为他跟log4g一样severe,结果Rapid7研究员发现text4shell不是。最开始Rapid7认为不会影响JDK,但是Alvaro Muñoz提供poc
本文仅为个人学习目的。
原文:Apache Commons Text Flaw Is Worrisome, But Not Like Log4Shell