search cancel

CVE-2022-42889: Apache Commons Text Vulnerability - NFA


Article ID: 252614


Updated On:


CA Network Flow Analysis (NetQos / NFA)


Is Network Flow Analysis vulnerable to CVE-2022-42889: Apache Commons Text?


Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.


NFA 21.2.x - 22.2.3


Currently the Apache Commons Text 1.9 JAR files exists within the compiled JAR files for all NFA Harvester services as well as 1 NFA Console feature.

However, NFA does not use the StringSubstitutor class of Apache Commons Text JAR. This vulnerability can only be exploited if the StringSubstitutor class is used with the default interpolators (StringSubstitutor.createInterpolator()) which will perform string lookups that may lead to arbitrary code execution.

Nonetheless the *.commons-text.* packages will be updated to 1.10 in 22.2.4.

Additional Information

For information regarding this vulnerability and the rest of DX NetOps, see here: CVE-2022-42889: Apache Commons Text Vulnerability - DX Netops and AppNeta