CVE-2022-42889 - Apache Commons Text prior to 1.10.0 allows RCE

[jsorah]

Description

Description

• Package Manager: maven
• Vulnerable module: org.liquibase:liquibase-core
• Introduced through repackaging of commons-text transitive dependency as part of org.liquibase:liquibase-core

Detailed paths

• liquibase.version defined as 4.16.1 in pom.xml

Overview

Repackaged transitive dependency org.apache.commons:commons-text included by org.liquibase:liquibase-core is vulnerable to CVE-2022-42889.

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.

Remediation

Upgrade org.liquibase:liquibase-core to version 4.17.1 or higher.

References

NVD Entry
Keycloak Defined Liquibase Version
Liquibase Release Including Fixed Dependency
Liquibase Commit Addressing Dependency

[jsorah]

@abstractj - I need your help in adding the appropriate labels here, I don't seem to have the ability to.

[abstractj]

@jsorah Thanks for submitting it Josh. Keycloak is not vulnerable to the issue mentioned, although it is affected, and we should upgrade. Currently, we are in the 2.13.5.Final release of Quarkus and we need to keep those dependencies in sync. Considering that this not critical, I'd say that it is safe to wait for the next Quarkus update on 2.13.x, or the next Keycloak upgrade to 2.14.x next year.

@keycloak/cloud-native-team @keycloak/storage-x do you have any other suggestions?

[pedroigor]

I think we are affected because even though script execution is disabled by default (tech preview) feature, you should be able to use classes from commons-text like that from a script:

print(org.apache.commons.text.StringSubstitutor.replaceSystemProperties(
    "You are running with java.version = ${java.version} and os.name = ${os.name}."));

I think we should be able to fix this CVE if we change the liquibase-core dependency in the parent pom.xml like that:

<dependency>
               <groupId>org.liquibase</groupId>
               <artifactId>liquibase-core</artifactId>
               <version>${liquibase.version}</version>
                <exclusions>
                    <exclusion>
                        <groupId>org.yaml</groupId>
                        <artifactId>snakeyaml</artifactId>
                    </exclusion>
                    <exclusion>
                        <groupId>org.apache.commons</groupId>
                        <artifactId>commons-text</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>

From what I seem, commons-text should be an optional dependency to com.opencsv:opencsv which includes this dependency. But we can't remove opencsv (not sure if we are even using it) because liquibase.change.core.LoadDataChange has it as a compile time dependency.

[abstractj]

@pedroigor +1 about your idea

[jsorah]

@pedroigor - The commons-text classes are actually repackaged within the liquibase-core JAR itself, so maven exclusions won't help here unfortunately.

Ex:

unzip -l liquibase-core-4.8.0.redhat-00001.jar | grep commons/text | head
        0  01-22-2020 15:10   liquibase/repackaged/org/apache/commons/text/
     9212  01-22-2020 15:10   liquibase/repackaged/org/apache/commons/text/AlphabetConverter.class
      258  01-22-2020 15:10   liquibase/repackaged/org/apache/commons/text/Builder.class
     2174  01-22-2020 15:10   liquibase/repackaged/org/apache/commons/text/CaseUtils.class
      184  01-22-2020 15:10   liquibase/repackaged/org/apache/commons/text/CharacterPredicate.class
      745  01-22-2020 15:10   liquibase/repackaged/org/apache/commons/text/CharacterPredicates$1.class
      824  01-22-2020 15:10   liquibase/repackaged/org/apache/commons/text/CharacterPredicates$2.class
      819  01-22-2020 15:10   liquibase/repackaged/org/apache/commons/text/CharacterPredicates$3.class
      819  01-22-2020 15:10   liquibase/repackaged/org/apache/commons/text/CharacterPredicates$4.class
      819  01-22-2020 15:10   liquibase/repackaged/org/apache/commons/text/CharacterPredicates$5.class

EDIT:

Actually what I said is incorrect for what Keycloak is doing - this is an artifact from a different process / older version of liquibase. maven exclusion should work for Keycloak as of now.

[sguilhen]

If I'm reading right, the first release of quarkus that includes the liquibase upgrade is 2.15.0 (quarkusio/quarkus@387578a)

Given that we seem to have a way to work around this with @pedroigor 's suggestion, I think we can wait until our quarkus is upgraded to 2.15.0 or higher and then update liquibase accordingly.