CVE-2022-42889 Impact of Apache Text Commons Vulnerability CVE-2022-42889
Description
Palo Alto Networks has evaluated the Apache Commons Text library vulnerability CVE-2022-42889, known as Text4Shell, for all products and services.
The Palo Alto Networks Product Security Assurance team has confirmed that all products and services are not impacted by this vulnerability.
| CVE | Summary |
|---|---|
| CVE-2022-42889 | Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| WildFire Cloud | None | All |
| WildFire Appliance (WF-500) | None | All |
| User-ID Agent | None | All |
| SaaS Security | None | All |
| Prisma SD-WAN ION | None | All |
| Prisma SD-WAN (CloudGenix) | None | All |
| Prisma Cloud Compute | None | All |
| Prisma Cloud | None | All |
| Prisma Access | None | All |
| PAN-OS | None | All |
| Palo Alto Networks App for Splunk | None | All |
| Okyo Garde | None | All |
| IoT Security | None | All |
| GlobalProtect App | None | All |
| Expedition Migration Tool | None | All |
| Expanse | None | All |
| Exact Data Matching CLI | None | All |
| Enterprise Data Loss Prevention | None | All |
| Cortex XSOAR | None | All |
| Cortex Xpanse | None | All |
| Cortex XDR Agent | None | All |
| Cortex XDR | None | All |
| Cortex Data Lake | None | All |
| Cloud NGFW | None | All |
| Bridgecrew | None | All |
| AutoFocus | None | All |
Severity: NONE
CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products.
Weakness Type
CWE-94 Improper Control of Generation of Code ('Code Injection')
Solution
No software updates are required at this time.
Workarounds and Mitigations
Customers with a Threat Prevention subscription can block known attacks for CVE-2022-42889 by enabling Threat ID 93157 (Applications and Threats content update 8632). This mitigation reduces the risk of exploitation from known exploits.