search cancel

CVE-2022-42889 and APM

book

Article ID: 252479

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope) CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management SaaS DX APM SaaS DX Application Performance Management

Issue/Introduction

CVE-2022-42889 was published in the National Vulnerability Database on 13 October, 2022.  More information can be found at https://nvd.nist.gov/vuln/detail/CVE-2022-42889


A remote code execution vulnerability in Apache Commons Text string placeholder replacement class StringSubstitutor. When the class is used with defaults replacement resolvers, via StringSubstitutor.createInterpolator(), an input text attacker controlled by attacker can cause remote code execution. Other StringSubstitutor uses that supply own variable resolver are safe.

There is a new remote code execution vulnerability in Apache Commons Text (<1.10) CVE-2022-42889

It is some ways similar to Log4Shell vulnerability from a year ago, but usage of text substitution is not as widespread as is logging. There are safe ways to use StringSubstitutor (with constructor using explicit variable resolver) without using vulnerable StringSubstitutor.createInterpolator().

See also: https://nakedsecurity.sophos.com/2022/10/18/dangerous-hole-in-apache-commons-text-like-log4shell-all-over-again/ but note that while it is in some ways similar to the famous Log4Shell vulnerability, the usage of text substitution is not as widespread as is logging so opportunities to exploit it are reduced.

Environment

Environment: APM 10.x, 20.x 21.x, 22.x

Resolution

In APM the library is used by ACC component, but it is used in only safe ways with explicit variable resolver. So, there is no impact.