This advisory is archived
Archived security advisories updated before March 15, 2024 have been migrated from our previous documentation site in their original format. For this reason, they may not conform to the updated look and feel of advisories published after March 15, 2024.
- Advisory ID: CV_2022_10_1
- Title: Remote Code Execution Vulnerability in Apache Common Text
- Severity: HIGH
- Issued: 2022-10-18
- Updated: 2022-10-18
- CVSS Score Range: 7.0-8.9
- Additional Links:
Impacted Products
This vulnerability does not affect Commvault products.
Resolution
As a precautionary measure, we have upgraded the Apache Commons Text version in our product.
Download and install the following maintenance releases for your Feature Release on the affected client computers. For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.
Platform Release | Maintenance Release |
|---|---|
2022E | |
11.24 |
CVE Details
| Info | Description |
|---|---|
| Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. |