Apache commons_text(CVE-2022-42889) and commons_configuration (CVE-2022-33980) vulnerability

Summary

CVE-2022-42889:

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

CVE-2022-33980:

CVE-2022-42889: Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.

Affected Products

Vulnerable Products

None

Products Confirmed Not Vulnerable

FortiOS (includes FortiGate & FortiWiFi)
FortiAnalyzer
FortiManager
FortiAuthenticator
FortiDeceptor
FortiMail
FortiVoice(includes FortiPhone)
FortiRecorder
FortiSwitch & FortiSwitchManager
FortiAP
FortiAP-W2
FortiAP-S
FortiAP-U
FortiAP-C
FortiADC
FortiADCManager
FortiClientEMS
FortiClient (All versions)
FortiSandbox
FortiProxy
FortiWeb
FortiWLM
FortiWLC
FortiToken & FortiToken Mobile
FortiNDR
FortiDDoS
FortiDDoS-F
FortiConnect
FortiExtender
FortiConverter
FortiLANCloud
FortiToken Cloud
FortiPolicy
FortiEDR
FortiSASE
FortiPortal
FortiWebCloud
FortiSIEM
FortiCASB
FortiAnalyzer Cloud
FortiManager Cloud
FortiSwitch Cloud
FortiExtender Cloud
FortiCWP
FortiClient Cloud
FortiPhish
FortiIsolator
FortiAIOps
FortiPentest
FortiSOAR
FortiSandbox Cloud

Products still under investigation

FortiCloud
FortiInsight

Product potentialy impacted

FortiAnalyzer-BigData version 7.0.1 through 7.0.4

Solutions

For full details of protections and detections for the IoCs related to this vulnerability, please see our outbreak alert :

https://www.fortiguard.com/outbreak-alert

IPS Signature protection (FortiOS)

https://www.fortiguard.com/encyclopedia/ips/52245

Please upgrade to FortiAnalyzer-BigData version 7.2.0 or above
Please upgrade to FortiAnalyzer-BigData version 7.0.5 or above