Bear in mind the Log4Shell bug that confirmed up in Apache Log4j late in 2021?
Log4j is likely one of the Apache Software program Basis’s many software program initiatives (greater than 350 at present depend), and it’s a programming library that Java coders can use to handle logfiles in their very own merchandise.
Logfiles are an important a part of improvement, debugging, report conserving, program monitoring, and, in lots of business sectors, of regulatory compliance.
Sadly, not all textual content you logged – even when it was despatched in by an exterior person, for instance as a username in a login kind – was handled actually.
Should you gave your identify as MYNAME, it will be logged similar to that, because the textual content string MYNAME, however any textual content wrapped in ${...} characters was handled as a command for the logger to run, which might trigger what’s often known as RCE, quick for distant code execution.
Lately, we noticed the same type of bug known as Follina, which affected Microsoft Home windows.
There, the troublesome characters have been $(...), with spherical brackets changing squiggly ones, however with the identical type of side-effect.
Within the Follina bug, a URL that contained a listing identify with the string SOMETEXT in it will be handled simply because it was written, however any textual content wrapped in $(...) can be run as a Powershell command, as soon as once more inflicting a danger of distant code execution.
Extra hassle with brackets
Effectively, the bug CVE-2022-33980, which doesn’t have a catchy identify but, is a really comparable type of blunder within the Apache Commons Configuration toolkit.
The identify’s fairly a mouthful: Apache Commons is one other Apache undertaking that gives quite a few Java utilities (sub-projects, when you like) that present a variety of helpful programming toolkits.
One in all these is Commons Configuration, which lets Java apps work with configuration information of a variety of various codecs, together with XML, INI, plist, and lots of extra.
Because the undertaking itself says, “the Commons Configuration software program library offers a generic configuration interface which allows a Java utility to learn configuration information from a wide range of sources.”
Sadly, this software program treats textual content wrapped in ${...} specifically, too.
As an alternative of utilizing the textual content actually, the next particular “reprocessing” takes place, referred to moderately confusingly within the jargon as interpolation:
$(script:STRING)runsSTRINGas a Java script and makes use of the output of that code.$(dns:STRING)appears upSTRINGutilizing DNS.$(url:STRING)reads the URLSTRINGand retrieves the textual content to make use of from there.
In different phrases, booby-trapped configuration information might, in idea, be used to run malicious code, leak information through DNS lookups, or fetch configuration settings from a rogue web site.
What to do?
In line with the Commons Configuration staff, this “interpolation” bug was launched in model 2.4 (launched in late 2018) and patched in model 2.8.0 (launched 2022-07-05, which is Tuesday this week).
All updates going again to model 2.2 in 2017 are listed as “minor releases”, so we’re assuming that updating from any of the susceptible variations 2.4, 2.5, 2.6 or 2.7 to the newest model should be uncontroversial.
So, you probably have any Java software program that makes use of the Apache Commons Configuration library, replace as quickly as you’ll be able to!
Oh, and when you’re a programmer…
…whether or not you name it “command substitution”, “stay rewriting”, “reprocessing” or “interpolation”, use it sparingly, and don’t flip it on by default for information you haven’t already verified you could belief.
Am I susceptible?
A fast solution to search for the presence of a possibly-vulnerable Commons Configuration library on a pc is to seek for filenames of the shape commons-configuration2-*.jar, the place * is a wildcard denoting “any textual content allowed right here”.
On Linux/Unix, attempt:
$ discover / -type f -name 'commons-configuration2-*.jar'
On Home windows, attempt:
> DIR C:commons-configuration2-*.jar /S
Weak variations have the names:
commons-configuration2-2.4.jar commons-configuration2-2.5.jar commons-configuration2-2.6.jar commons-configuration2-2.7.jar
Earlier or later variations don’t have the bug.
The most recent, patched, model, is:
commons-configuration2-2.8.0.jar
Should you discover information with names like this:
commons-configuration-1.9.jar
…these are the previous (model 1) flavour of the library, which doesn’t have this bug.
Notice. The identify Apache refers back to the total Software program Basis and all its initiatives. It’s not the identify of a webserver, in the identical means that Microsoft isn’t the identify of an working system. So, regardless that web sites primarily based on the Apache Webserver, often known as httpd, are sometimes called “working Apache”, this bug doesn’t apply to the net server, which is written in C, not in Java.
