Apache Commons Text CVE-2022-42889 Fix for JMeter

After the Log4Shell fiasco last year, it is now time to apply the patch for CVE-2022-42889 to your Java ecosystem. In this blog post, we will see about CVE-2022-42889 specs and how to mitigate in your JMeter ecosystem.

What is CVE-2022-42889?

From the National Vulnerability Database, the description is as follows:

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

What is Apache Commons?

Apache Commons is a collection of Java reusable components from the Apache Software Foundation. It consists of three parts:

• The Commons Proper- A repository of reusable Java components
• The Commons Sandbox- A workspace for Java component development
• The Commons Dormant- A repository of components that are now inactive

Commonly used Java components from Apache Commons are CSV, IO, Net, Text, and more.

Apache Commons Text

Apache Commons Text is a library focused on algorithms working on strings. Here is the Java documentation page.

If you are a developer, you still use this library without your knowledge via the software supply chain.

Dive into CVE-2022-48229

If your application uses the Apache Commons Text version between 1.5 - 1.9 (both inclusive), then the attacker can make use of the vulnerability in StringSubstitutor class.

Here is the sample snippet which I created using the above docs page.

Below code snippet (using Apache Commons Text 1.9) leverages the StringSubstitutor and interpolation where it prints the encoding and decoding string information by executing it as a string input.

// Apache Commons Text 1.9package org.qainsights;import org.apache.commons.text.*;public class Main {    public static void main(String[] args) {    StringSubstitutor interp = StringSubstitutor.createInterpolator();    String str = "Base64 Decoder ${base64Decoder:UUFJbnNpZ2h0cw==}
Base64 Encoder ${base64Encoder:QAInsights}";    String rep = interp.replace(str);    System.out.println(rep);    }}

It may not look like a vulnerability for normal eyes, but attackers can leverage the string inputs of dns, script, and url functions.

Here are the default interpolators which use the string lookups as above:

final StringSubstitutor interpolator = StringSubstitutor.createInterpolator(); final String text = interpolator.replace(       "Base64 Decoder:        ${base64Decoder:SGVsbG9Xb3JsZCE=}
"     + "Base64 Encoder:        ${base64Encoder:HelloWorld!}
"     + "Java Constant:         ${const:java.awt.event.KeyEvent.VK_ESCAPE}
"     + "Date:                  ${date:yyyy-MM-dd}
"     + "Environment Variable:  ${env:USERNAME}
"     + "File Content:          ${file:UTF-8:src/test/resources/document.properties}
"     + "Java:                  ${java:version}
"     + "Localhost:             ${localhost:canonical-name}
"     + "Properties File:       ${properties:src/test/resources/document.properties::mykey}
"     + "Resource Bundle:       ${resourceBundle:org.apache.commons.text.example.testResourceBundleLookup:mykey}
"     + "System Property:       ${sys:user.dir}
"     + "URL Decoder:           ${urlDecoder:Hello%20World%21}
"     + "URL Encoder:           ${urlEncoder:Hello World!}
"     + "XML XPath:             ${xml:src/test/resources/document.xml:/root/path/to/node}
");

Below are the extra lookups which are not included in Apache Commons Text 1.10:

"dns"  dnsStringLookup()"url"   urlStringLookup()"script"    scriptStringLookup()

Let us execute the url string lookup in version 1.9.

package org.qainsights;import org.apache.commons.text.*;public class Main {    public static void main(String[] args) {    StringSubstitutor interp = StringSubstitutor.createInterpolator();    String str = "${url:UTF-8:https://example.com}";    String rep = interp.replace(str);    System.out.println(rep);    }}

The above snippet will display the HTML output of https://example.com.

Now, let us upgrade the Apache Commons Text to 1.10.0. The above code will display the output below.

${url:UTF-8:https://example.com}

Basically, version 1.10.0 will not process the string lookups of dns, script, and url by DEFAULT.

If you still want to make use of the dns, script, and url lookups, you need to enable them explicitly. Here is the sample code:

// Enabling dns lookup in Apache Commons Text 1.10.0package org.qainsights;import org.apache.commons.text.*;import org.apache.commons.text.lookup.StringLookup;import org.apache.commons.text.lookup.StringLookupFactory;import java.util.HashMap;import java.util.Map;public class Main {    public static void main(String[] args) {    Map<String, StringLookup> lookupMap = new HashMap<>();    lookupMap.put("dns", StringLookupFactory.INSTANCE.dnsStringLookup());    StringLookup variableResolver = StringLookupFactory.INSTANCE.interpolatorStringLookup(lookupMap, null, false);    System.out.println(new StringSubstitutor(variableResolver).replace("${dns:address|apache.org}"));    }}

Mitigating it in Apache JMeter

Now we are equipped with the knowledge of Apache Commons Text vulnerability. Let us go ahead with how to mitigate the CVE-2022-42889 in Apache JMeter.

As you already know, Apache JMeter is a pure 100% Java performance testing tool which heavily relies on Apache Commons libraries.

First step is to find the commons-text-1.9.jar in JMETER_HOME\lib folder and replace it with the 1.10.0 version by downloading and extracting it from https://commons.apache.org/proper/commons-text/download_text.cgi

That's it. You are good to go.

Here is the automated script.

GitHub Repo

<!-- /wp:button -->

Conclusion

Considering the CVSS of 9.8 for the CVE-2022-42889, it is highly recommended to patch your environment with the latest patch. You can use the above script to automate. Please let me know if you have any questions.