Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2022-07-06T00:00:00 apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.

A flaw was found in Apache Commons Configuration's variable interpolation, which by default included several lookup actions that could permit script invocation on remote servers. This issue could allow an attacker to use one of these actions to send a request to execute arbitrary code on the server.

Red Hat Satellite embeds affected commons-configuration2 with Candlepin, however, product is not affected since vulnerable org.apache.commons.configuration2.interpol.Lookup is not exposed in code. Product Security has rated this vulnerability Low for Satellite and there is no harm identified to confidentiality, integrity, and availability. AMQ Broker 7.10.1 2022-10-12T00:00:00Z RHSA-2022:6916 commons-configuration2 Red Hat Fuse 7.11.1 2022-11-28T00:00:00Z RHSA-2022:8652 commons-configuration2 Red Hat Satellite 6.13 for RHEL 8 2023-05-03T00:00:00Z RHSA-2023:2097 candlepin-0:4.2.13-1.el8sat A-MQ Clients 2 Not affected commons-configuration2 Red Hat A-MQ Online Not affected commons-configuration2 Red Hat build of Quarkus Not affected commons-configuration2 Red Hat Data Grid 8 Not affected commons-configuration2 Red Hat Decision Manager 7 Out of support scope commons-configuration2 Red Hat Integration Camel K 1 Affected commons-configuration2 Red Hat JBoss Data Grid 7 Out of support scope commons-configuration2 Red Hat JBoss Enterprise Application Platform 7 Not affected commons-configuration2 Red Hat JBoss Enterprise Application Platform Expansion Pack Not affected commons-configuration2 Red Hat OpenShift Container Platform 3.11 Will not fix jenkins-2-plugins Red Hat OpenShift Container Platform 4 Affected jenkins-2-plugins Red Hat Process Automation 7 Out of support scope commons-configuration2 Red Hat support for Spring Boot Affected commons-configuration2 https://www.cve.org/CVERecord?id=CVE-2022-33980 https://nvd.nist.gov/vuln/detail/CVE-2022-33980