CVE-2022-42889 PoC

This is Proof of Concept for the vulnerability CVE-2022-42889. This code will run the JavaScript code 195 + 324. If vulnerable the output should be:

PoC Output: 519

In order to run this you will need:

• JDK 11 or above
• Maven

What's the Issue?

The issue stems from the fact that the following keys should not be interpolated by default (as per the documentation https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/lookup/StringLookupFactory.html):

• script
• dns
• url

However due to a flaw in the logic, these 3 keys are interpolated by default, when they should not (since they could represent a security risk).

What's the Risk?

An attacker with control over the string passed into an affected StringSubstitutor replace could allow the attacker to:

• Run JavaScript code on the system (typically a server) executing the StringSubstitutor code
• Connect to other servers from the affected system
• Potentially gain access to other remove resources from the affected system

Am I Vulnerable?

In order for your code to be vulnerable you need to:

• Be running a version of Apache commons-text from version 1.5.0 up to (and not including) 1.10.0
• Using Interpolation for your StringSubstituion (see https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/StringSubstitutor.html)
• Note that in JDK 15 and later the JavaScript engine is not longer included, so any instance running on a JVM 15 or later will not be vulnerable to RCE via the script key, however it will still be vulnerable to the dns and url keys.

Official Fix

The fix for this is to update your instances of commons-text to versions 1.10.0 or later.

Note

The other default lookups could still potentially represent a security risk (such as the ability to read content of files, read system properies, etc). Use this feature with caution and make sure that all user input appropriately sanitised (for example passing through an allow list).