Summary of Chemaxon Actions:
Chemaxon architects and engineering teams are actively investigating the vulnerabilities CVE-2022-42889 (Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults) potential exploits. We are committed to watching over our clients for exposure and associated attacks and are taking action with approved mitigation efforts. We are continuing to monitor our own infrastructure and products as more information becomes available.
What does this vulnerability affect?
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9 of the library, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers.
Most vendors have released mitigation rules, including these two:
- AWS WAF has released a mitigation which is already implemented on our infrastructure: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html
- Cloudfront WAF fix on the same issue: https://developers.cloudflare.com/waf/change-log/2022-10-18-emergency-release/
Next steps
Product development is working on fixing the vulnerabilities of the affected products at the highest priority. We recommend enabling the aforementioned mitigations with your selected WAF vendor until the fixes are released for our affected products. We will continue to provide updates as necessary in this document.
Update
- Iodine.6
- Krypton.5
- Lithium.2
Resources:
https://nvd.nist.gov/vuln/detail/CVE-2022-42889
https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om