Summary of Chemaxon Actions:
Chemaxon architects and engineering teams are actively investigating the vulnerabilities CVE-2022-42889 (Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults) potential exploits. We are committed to watching over our clients for exposure and associated attacks and are taking action with approved mitigation efforts. We are continuing to monitor our own infrastructure and products as more information becomes available.
What does this vulnerability affect?
CVE-2022-42889:
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9 of the library, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers.
Most vendors have released mitigation rules, including these two:
Next steps
Product development is working on fixing the vulnerabilities of the affected products at the highest priority. We recommend enabling the aforementioned mitigations with your selected WAF vendor until the fixes are released for our affected products. We will continue to provide updates as necessary in this document.
Update
According to our analysis Chemaxon does not use the vulnerable parts of the impacted library, however we have already updated it in Frequent 22.19, and it is going to be fully fixed in the following LTSes soon:
- Iodine.6
- Krypton.5
- Lithium.2
Resources:
https://nvd.nist.gov/vuln/detail/CVE-2022-42889
https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om