src/site/xdoc/security.xml - commons-configuration - Git at Google

 <?xml version="1.0"?>
 <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file
     distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under
     the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may
     obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to
     in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
     ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under
     the License. -->
 <document>
     <properties>
         <title>Apache Commons Configuration Security Reports</title>
         <author email="dev@commons.apache.org">Commons Team</author>
     </properties>
     <body>
         <section name="Security Vulnerabilities">
             <p>
                 For information about reporting or asking questions about
                 security, please see the
                 <a href="https://commons.apache.org/security.html">security page</a>
                 of the Apache Commons project.
             </p>
             <p>
                 This page lists all security vulnerabilities fixed in released versions of this component.
             </p>

             <p>
                 Please note that binary patches are never provided. If you need to apply a source code patch, use the
                 building instructions for the component version that you are using.
             </p>

             <p>
                 If you need help on building this component or other help on following the instructions to
                 mitigate the known vulnerabilities listed here, please send your questions to the public
                 <a href="mail-lists.html">user mailing list</a>.
             </p>

             <p>
                 If you have encountered an unlisted security vulnerability or other unexpected behavior that has security
                 impact, or if the descriptions here are incomplete, please report them privately to the Apache Security
                 Team. Thank you.
             </p>

             <subsection name="CVE-2022-33980 prior to 2.8.0, RCE when applied to untrusted input">
                 <p>
                     On 2022-07-06, the Apache Commons Configuration team disclosed
                     <a href="https://www.cve.org/CVERecord?id=CVE-2022-33980">CVE-2022-33980</a>
                     . Key takeaways:
                     <ul>
                         <li>
                             If you rely on software that uses a version of commons-configuration prior to 2.8.0, you are likely
                             still not vulnerable: only if this software loads configuration
                             files from untrusted sources, which is likely rare.
                         </li>
                         <li>
                             If your own software uses commons-configuration, double-check whether it loads
                             configuration files from untrusted sources. If so, an update to 2.8.0 could be a
                             quick workaround, but the recommended solution is to also properly validate and sanitize the
                             untrusted input.
                         </li>
                     </ul>
                 </p>
                 <p>
                     Apache Commons Configuration is a library to read configuration data from a variety of sources.
                     It supports variable interpolation with lookups using various mechanisms, such as system properties
                     or environment variables. Some of the available interpolators can trigger network
                     access or code execution. This is intended, but it also means an application that includes user
                     input in the configuration passed to Commons Configuration without properly sanitizing it would allow an
                     attacker to trigger those interpolators.
                 </p>
                 <p>
                     For that reason the Apache Commons Configuration team have decided to update the list of interpolators
                     that are enabled by default to be more
                     conservative, so that the impact of a failure to validate inputs is mitigated and will not
                     give an attacker access to these interpolators. However, it is still recommended that users treat
                     untrusted input with care.
                 </p>
                 <p>
                     We're not currently aware of any applications that load untrusted input as configuration
                     and thus would have been impacted by this problem prior to Apache Commons Configuration 2.8.0.
                 </p>
                 <p>
                     This issue is different from
                     <a href="https://logging.apache.org/log4j/2.x/security.html#log4j-2.15.0">Log4Shell (CVE-2021-44228)</a>
                     because in Log4Shell, string interpolation was possible from the log message body, which commonly
                     contains untrusted input. In the Apache Common Configuration issue, the processed configuration data
                     is much less likely to come from an untrusted source.
                 </p>
                 <p>
                     Credit: this issue was reported by
                     <a href="https://github.com/pwntester">@pwntester (Alvaro Muñoz)</a>
                     of the
                     <a href="https://securitylab.github.com">GitHub Security Lab team</a>
                     . Thank you!
                 </p>
                 <p>
                     References:
                     <ul>
                         <li>
                             <a href="https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s">Announcement on dev@commons.apache.org</a>
                         </li>
                         <li>
                             <a href="https://www.openwall.com/lists/oss-security/2022/07/06/5">Announcement on oss-security</a>
                         </li>
                         <li>
                             <a href="https://www.cve.org/CVERecord?id=CVE-2022-33980">Advisory on cve.org</a>
                         </li>
                         <li>
                             <a href="https://securitylab.github.com/advisories/GHSL-2022-017_Apache_Commons_Configuration/">GHSL advisory</a>
                         </li>
                     </ul>
                 </p>
              </subsection>
              <subsection name="CVE-2024-29131 prior to 2.10.1, Out-of-bounds Write vulnerability">
                <p>
                  On 2024-03-20, the Apache Commons Configuration team disclosed <a href="https://www.cve.org/CVERecord?id=CVE-2024-29131">CVE-2024-29131</a>.
                </p>
                <p>
                  This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1.
                  USer can see this as a <code>StackOverflowError</code> when adding a property in <code>AbstractListDelimiterHandler.flattenIterator()</code>.
                  Users are recommended to upgrade to version 2.10.1, which fixes the issue.
                  The details are in <a href="https://issues.apache.org/jira/browse/CONFIGURATION-840">CONFIGURATION-840</a>.
                </p>
              </subsection>
              <subsection name="CVE-2024-29133 prior to 2.10.1, Out-of-bounds Write vulnerability">
                <p>
                  On 2024-03-20, the Apache Commons Configuration team disclosed <a href="https://www.cve.org/CVERecord?id=CVE-2024-29133">CVE-2024-29133</a>.
                </p>
                <p>
                  This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1.
                  USer can see this as a <code>StackOverflowError</code> calling <code>ListDelimiterHandler.flatten(Object, int)</code> with a cyclical object tree.
                  Users are recommended to upgrade to version 2.10.1, which fixes the issue.
                  The details are in <a href="https://issues.apache.org/jira/browse/CONFIGURATION-840">CONFIGURATION-841</a>.
                </p>
              </subsection>
         </section>
     </body>
 </document>
	<?xml version="1.0"?>
	<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under
	the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may
	obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to
	in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
	ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under
	the License. -->
	<document>
	<properties>
	<title>Apache Commons Configuration Security Reports</title>
	<author email="dev@commons.apache.org">Commons Team</author>
	</properties>
	<body>
	<section name="Security Vulnerabilities">
	<p>
	For information about reporting or asking questions about
	security, please see the
	<a href="https://commons.apache.org/security.html">security page</a>
	of the Apache Commons project.
	</p>
	<p>
	This page lists all security vulnerabilities fixed in released versions of this component.
	</p>

	<p>
	Please note that binary patches are never provided. If you need to apply a source code patch, use the
	building instructions for the component version that you are using.
	</p>

	<p>
	If you need help on building this component or other help on following the instructions to
	mitigate the known vulnerabilities listed here, please send your questions to the public
	<a href="mail-lists.html">user mailing list</a>.
	</p>

	<p>
	If you have encountered an unlisted security vulnerability or other unexpected behavior that has security
	impact, or if the descriptions here are incomplete, please report them privately to the Apache Security
	Team. Thank you.
	</p>

	<subsection name="CVE-2022-33980 prior to 2.8.0, RCE when applied to untrusted input">
	<p>
	On 2022-07-06, the Apache Commons Configuration team disclosed
	<a href="https://www.cve.org/CVERecord?id=CVE-2022-33980">CVE-2022-33980</a>
	. Key takeaways:
	<ul>
	<li>
	If you rely on software that uses a version of commons-configuration prior to 2.8.0, you are likely
	still not vulnerable: only if this software loads configuration
	files from untrusted sources, which is likely rare.
	</li>
	<li>
	If your own software uses commons-configuration, double-check whether it loads
	configuration files from untrusted sources. If so, an update to 2.8.0 could be a
	quick workaround, but the recommended solution is to also properly validate and sanitize the
	untrusted input.
	</li>
	</ul>
	</p>
	<p>
	Apache Commons Configuration is a library to read configuration data from a variety of sources.
	It supports variable interpolation with lookups using various mechanisms, such as system properties
	or environment variables. Some of the available interpolators can trigger network
	access or code execution. This is intended, but it also means an application that includes user
	input in the configuration passed to Commons Configuration without properly sanitizing it would allow an
	attacker to trigger those interpolators.
	</p>
	<p>
	For that reason the Apache Commons Configuration team have decided to update the list of interpolators
	that are enabled by default to be more
	conservative, so that the impact of a failure to validate inputs is mitigated and will not
	give an attacker access to these interpolators. However, it is still recommended that users treat
	untrusted input with care.
	</p>
	<p>
	We're not currently aware of any applications that load untrusted input as configuration
	and thus would have been impacted by this problem prior to Apache Commons Configuration 2.8.0.
	</p>
	<p>
	This issue is different from
	<a href="https://logging.apache.org/log4j/2.x/security.html#log4j-2.15.0">Log4Shell (CVE-2021-44228)</a>
	because in Log4Shell, string interpolation was possible from the log message body, which commonly
	contains untrusted input. In the Apache Common Configuration issue, the processed configuration data
	is much less likely to come from an untrusted source.
	</p>
	<p>
	Credit: this issue was reported by
	<a href="https://github.com/pwntester">@pwntester (Alvaro Muñoz)</a>
	of the
	<a href="https://securitylab.github.com">GitHub Security Lab team</a>
	. Thank you!
	</p>
	<p>
	References:
	<ul>
	<li>
	<a href="https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s">Announcement on dev@commons.apache.org</a>
	</li>
	<li>
	<a href="https://www.openwall.com/lists/oss-security/2022/07/06/5">Announcement on oss-security</a>
	</li>
	<li>
	<a href="https://www.cve.org/CVERecord?id=CVE-2022-33980">Advisory on cve.org</a>
	</li>
	<li>
	<a href="https://securitylab.github.com/advisories/GHSL-2022-017_Apache_Commons_Configuration/">GHSL advisory</a>
	</li>
	</ul>
	</p>
	</subsection>
	<subsection name="CVE-2024-29131 prior to 2.10.1, Out-of-bounds Write vulnerability">
	<p>
	On 2024-03-20, the Apache Commons Configuration team disclosed <a href="https://www.cve.org/CVERecord?id=CVE-2024-29131">CVE-2024-29131</a>.
	</p>
	<p>
	This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1.
	USer can see this as a <code>StackOverflowError</code> when adding a property in <code>AbstractListDelimiterHandler.flattenIterator()</code>.
	Users are recommended to upgrade to version 2.10.1, which fixes the issue.
	The details are in <a href="https://issues.apache.org/jira/browse/CONFIGURATION-840">CONFIGURATION-840</a>.
	</p>
	</subsection>
	<subsection name="CVE-2024-29133 prior to 2.10.1, Out-of-bounds Write vulnerability">
	<p>
	On 2024-03-20, the Apache Commons Configuration team disclosed <a href="https://www.cve.org/CVERecord?id=CVE-2024-29133">CVE-2024-29133</a>.
	</p>
	<p>
	This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1.
	USer can see this as a <code>StackOverflowError</code> calling <code>ListDelimiterHandler.flatten(Object, int)</code> with a cyclical object tree.
	Users are recommended to upgrade to version 2.10.1, which fixes the issue.
	The details are in <a href="https://issues.apache.org/jira/browse/CONFIGURATION-840">CONFIGURATION-841</a>.
	</p>
	</subsection>
	</section>
	</body>
	</document>