| <?xml version="1.0"?> |
| <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under |
| the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may |
| obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to |
| in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF |
| ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under |
| the License. --> |
| <document> |
| <properties> |
| <title>Apache Commons Configuration Security Reports</title> |
| <author email="dev@commons.apache.org">Commons Team</author> |
| </properties> |
| <body> |
| <section name="Security Vulnerabilities"> |
| <p> |
| For information about reporting or asking questions about |
| security, please see the |
| <a href="https://commons.apache.org/security.html">security page</a> |
| of the Apache Commons project. |
| </p> |
| <p> |
| This page lists all security vulnerabilities fixed in released versions of this component. |
| </p> |
| |
| <p> |
| Please note that binary patches are never provided. If you need to apply a source code patch, use the |
| building instructions for the component version that you are using. |
| </p> |
| |
| <p> |
| If you need help on building this component or other help on following the instructions to |
| mitigate the known vulnerabilities listed here, please send your questions to the public |
| <a href="mail-lists.html">user mailing list</a>. |
| </p> |
| |
| <p> |
| If you have encountered an unlisted security vulnerability or other unexpected behavior that has security |
| impact, or if the descriptions here are incomplete, please report them privately to the Apache Security |
| Team. Thank you. |
| </p> |
| |
| <subsection name="CVE-2022-33980 prior to 2.8.0, RCE when applied to untrusted input"> |
| <p> |
| On 2022-07-06, the Apache Commons Configuration team disclosed |
| <a href="https://www.cve.org/CVERecord?id=CVE-2022-33980">CVE-2022-33980</a> |
| . Key takeaways: |
| <ul> |
| <li> |
| If you rely on software that uses a version of commons-configuration prior to 2.8.0, you are likely |
| still not vulnerable: only if this software loads configuration |
| files from untrusted sources, which is likely rare. |
| </li> |
| <li> |
| If your own software uses commons-configuration, double-check whether it loads |
| configuration files from untrusted sources. If so, an update to 2.8.0 could be a |
| quick workaround, but the recommended solution is to also properly validate and sanitize the |
| untrusted input. |
| </li> |
| </ul> |
| </p> |
| <p> |
| Apache Commons Configuration is a library to read configuration data from a variety of sources. |
| It supports variable interpolation with lookups using various mechanisms, such as system properties |
| or environment variables. Some of the available interpolators can trigger network |
| access or code execution. This is intended, but it also means an application that includes user |
| input in the configuration passed to Commons Configuration without properly sanitizing it would allow an |
| attacker to trigger those interpolators. |
| </p> |
| <p> |
| For that reason the Apache Commons Configuration team have decided to update the list of interpolators |
| that are enabled by default to be more |
| conservative, so that the impact of a failure to validate inputs is mitigated and will not |
| give an attacker access to these interpolators. However, it is still recommended that users treat |
| untrusted input with care. |
| </p> |
| <p> |
| We're not currently aware of any applications that load untrusted input as configuration |
| and thus would have been impacted by this problem prior to Apache Commons Configuration 2.8.0. |
| </p> |
| <p> |
| This issue is different from |
| <a href="https://logging.apache.org/log4j/2.x/security.html#log4j-2.15.0">Log4Shell (CVE-2021-44228)</a> |
| because in Log4Shell, string interpolation was possible from the log message body, which commonly |
| contains untrusted input. In the Apache Common Configuration issue, the processed configuration data |
| is much less likely to come from an untrusted source. |
| </p> |
| <p> |
| Credit: this issue was reported by |
| <a href="https://github.com/pwntester">@pwntester (Alvaro Muñoz)</a> |
| of the |
| <a href="https://securitylab.github.com">GitHub Security Lab team</a> |
| . Thank you! |
| </p> |
| <p> |
| References: |
| <ul> |
| <li> |
| <a href="https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s">Announcement on dev@commons.apache.org</a> |
| </li> |
| <li> |
| <a href="https://www.openwall.com/lists/oss-security/2022/07/06/5">Announcement on oss-security</a> |
| </li> |
| <li> |
| <a href="https://www.cve.org/CVERecord?id=CVE-2022-33980">Advisory on cve.org</a> |
| </li> |
| <li> |
| <a href="https://securitylab.github.com/advisories/GHSL-2022-017_Apache_Commons_Configuration/">GHSL advisory</a> |
| </li> |
| </ul> |
| </p> |
| </subsection> |
| <subsection name="CVE-2024-29131 prior to 2.10.1, Out-of-bounds Write vulnerability"> |
| <p> |
| On 2024-03-20, the Apache Commons Configuration team disclosed <a href="https://www.cve.org/CVERecord?id=CVE-2024-29131">CVE-2024-29131</a>. |
| </p> |
| <p> |
| This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. |
| USer can see this as a <code>StackOverflowError</code> when adding a property in <code>AbstractListDelimiterHandler.flattenIterator()</code>. |
| Users are recommended to upgrade to version 2.10.1, which fixes the issue. |
| The details are in <a href="https://issues.apache.org/jira/browse/CONFIGURATION-840">CONFIGURATION-840</a>. |
| </p> |
| </subsection> |
| <subsection name="CVE-2024-29133 prior to 2.10.1, Out-of-bounds Write vulnerability"> |
| <p> |
| On 2024-03-20, the Apache Commons Configuration team disclosed <a href="https://www.cve.org/CVERecord?id=CVE-2024-29133">CVE-2024-29133</a>. |
| </p> |
| <p> |
| This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. |
| USer can see this as a <code>StackOverflowError</code> calling <code>ListDelimiterHandler.flatten(Object, int)</code> with a cyclical object tree. |
| Users are recommended to upgrade to version 2.10.1, which fixes the issue. |
| The details are in <a href="https://issues.apache.org/jira/browse/CONFIGURATION-840">CONFIGURATION-841</a>. |
| </p> |
| </subsection> |
| </section> |
| </body> |
| </document> |