search cancel

Siteminder not vulnerable to CVE-2022-42889

book

Article ID: 252807

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

CVE-2022-42889

----------------
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
----------------

Environment

Release Info. :

Siteminder Access Gateway 12.8.x

Web Agent for Sharepoint

Cause

Siteminder Access Gateway r12.8.7 and older ships with "Common Text 1.9"

<Install_Dir>/CA/secure-proxy/Tomcat/thirdparty/commons-text-1.9.jar
<Install_Dir>/CA/secure-proxy/Tomcat/webapps/proxyui/WEB-INF/lib/commons-text-1.9.jar

<Install_Dir>\CA\secure-proxy\Tomcat\thirdparty\commons-text-1.9.jar
<Install_Dir>\CA\secure-proxy\Tomcat\webapps\proxyui\WEB-INF\lib\commons-text-1.9.jar

This vulnerability is very specific.  According to the Apache Software Foundation, this vulnerability is only exposed under the following conditions:

--> If you are using software which uses Apache Commons Text 1.9 or older and using the "StringSubstitutor API" specifically without properly sanitizing any untrusted input.

Resolution

The Siteminder Sustaining Engineering team has confirmed that we are not using the "StringSubstitutor API", and therefore Siteminder Access Gateway and Sharepoint Web Agent implementations are not subject to this vulnerability.

However, 'commons-text-1.10' has been released for Siteminder Access Gateway.  "commons-text-1.10.0-bin.zip" has been attached to the KB (see Attachments (Below)).

1) Extract the provided commons-text-1.10.0-bin.zip file that contains the commons-text-1.10.0.jar file that is downloaded from https://commons.apache.org/proper/commons-text/download_text.cgi.

2) Stop Access Gateway, if running.

3) Take a backup of the commons-text-1.9.jar file from the following locations:
 

 Windows: <AG-installation-location>\Tomcat\thirdparty
                  <AG-installation-location>\Tomcat\webapps\proxyui\WEB-INF\lib
   

Linux: <AG-installation-location>/Tomcat/webapps/proxyui/WEB-INF/lib/
          <AG-installation-location>/Tomcat/thirdparty/

Note: We recommend that you delete the commons-text-1.9.jar file from the above locations before deploying the commons-text-1.10.0.jar file in Step 4. If you prefer to retain the commons-text-1.9.jar file in the same location, ensure that you rename the file (for example, commons-text-1.9_ORIGINAL.jar_ORIGINAL) to avoid any issues while deploying the latest jar.
 
4) Copy the 'commons-text-1.10.0.jar' file that is extracted from Step 1 into the above locations. 

5) Start Access Gateway.

Additional Information

https://blogs.apache.org/security/entry/cve-2022-42889

https://nvd.nist.gov/vuln/detail/CVE-2022-42889

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889

Attachments

1667235131026__commons-text-1.10.0-bin.zip get_app