CVE-2022-42889 Impact of Apache Text Commons Vulnerability CVE-2022-42889

Palo Alto Networks Security Advisories / CVE-2022-42889

CVE-2022-42889 Impact of Apache Text Commons Vulnerability CVE-2022-42889

Informational

NVD JSON

Published 2022-11-09

Updated 2022-11-09

Reference CVE-2022-42889

Discovered externally

Description

Palo Alto Networks has evaluated the Apache Commons Text library vulnerability CVE-2022-42889, known as Text4Shell, for all products and services.

The Palo Alto Networks Product Security Assurance team has confirmed that all products and services are not impacted by this vulnerability.

CVE	Summary
CVE-2022-42889	Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

CVE

Summary

CVE-2022-42889

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Product Status

Versions	Affected	Unaffected
AutoFocus	None	all
Bridgecrew	None	all
Cloud NGFW	None	all
Cortex Data Lake	None	all
Cortex XDR	None	all
Cortex XDR Agent	None	all
Cortex Xpanse	None	all
Cortex XSOAR	None	all
Enterprise Data Loss Prevention	None	all
Exact Data Matching CLI	None	all
Expanse	None	all
Expedition Migration Tool	None	all
GlobalProtect App	None	all
IoT Security	None	all
Okyo Garde	None	all
Palo Alto Networks App for Splunk	None	all
PAN-OS	None	all
Prisma Access	None	all
Prisma Cloud	None	all
Prisma Cloud Compute	None	all
Prisma SD-WAN (CloudGenix)	None	all
Prisma SD-WAN ION	None	all
SaaS Security	None	all
User-ID Agent	None	all
WildFire Appliance (WF-500)	None	all
WildFire Cloud	None	all

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue on any of our products.

Weakness Type

CWE-94 Improper Control of Generation of Code ('Code Injection')

Solution

No software updates are required at this time.

Workarounds and Mitigations

Customers with a Threat Prevention subscription can block known attacks for CVE-2022-42889 by enabling Threat ID 93157 (Applications and Threats content update 8632). This mitigation reduces the risk of exploitation from known exploits.

Timeline

2022-11-09 Initial publication