You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by GitBox <gi...@apache.org> on 2022/10/18 12:56:40 UTC

[GitHub] [commons-text] raboof opened a new pull request, #374: Add statement about CVE-2022-42889 to frontpage

raboof opened a new pull request, #374:
URL: https://github.com/apache/commons-text/pull/374

   To put things into perspective since this is currently getting some attention.
   
   Can be moved to the 'security' page later.
   
   ![commons-text](https://user-images.githubusercontent.com/131856/196435661-a0fe846d-805f-411a-84f8-6602e2b65754.png)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-text] kinow commented on pull request #374: Add statement about CVE-2022-42889 to frontpage

Posted by GitBox <gi...@apache.org>.

kinow commented on PR #374:
URL: https://github.com/apache/commons-text/pull/374#issuecomment-1283282278

   > I find new vulnerability,But I submitted to [security@commons.apache.org](mailto:security@commons.apache.org),No one replied to my email~
   
   @wangdudu321123, from time to time the list gets a lot of traffic, and there may be internal discussion (e.g. someone trying to confirm if the issue can be reproduced, or looking at the archives for past open reports).. The project is also run by volunteers. With this in mind, please wait a while more as it may take some time until we can review all the messages. Finally, this issue is about the statement for an existing CVE, cross-posting unrelated issues is not really helpful.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-text] garydgregory commented on pull request #374: Add statement about CVE-2022-42889 to frontpage

Posted by GitBox <gi...@apache.org>.

garydgregory commented on PR #374:
URL: https://github.com/apache/commons-text/pull/374#issuecomment-1282943116

   -1 publishing the site is a manual process and a pain. We already have a security page which will be published soon 
   (already a pain) . Plus, moving content around at random times might mess up search engine results.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-text] raboof commented on pull request #374: Add statement about CVE-2022-42889 to frontpage

Posted by GitBox <gi...@apache.org>.

raboof commented on PR #374:
URL: https://github.com/apache/commons-text/pull/374#issuecomment-1283548104

   > I updated the security page https://commons.apache.org/proper/commons-text/security.html I think we can close this PR IMO
   
   Yes, thanks a lot!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-text] wangdudu321123 commented on pull request #374: Add statement about CVE-2022-42889 to frontpage

Posted by GitBox <gi...@apache.org>.

wangdudu321123 commented on PR #374:
URL: https://github.com/apache/commons-text/pull/374#issuecomment-1283272735

   I find new vulnerability,But I submitted to security@commons.apache.org,No one replied to my email~


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-text] wangdudu321123 commented on pull request #374: Add statement about CVE-2022-42889 to frontpage

Posted by GitBox <gi...@apache.org>.

wangdudu321123 commented on PR #374:
URL: https://github.com/apache/commons-text/pull/374#issuecomment-1283288638

   > > I find new vulnerability,But I submitted to [security@commons.apache.org](mailto:security@commons.apache.org),No one replied to my email~
   > 
   > @wangdudu321123, from time to time the list gets a lot of traffic, and there may be internal discussion (e.g. someone trying to confirm if the issue can be reproduced, or looking at the archives for past open reports).. The project is also run by volunteers. With this in mind, please wait a while more as it may take some time until we can review all the messages. Finally, this issue is about the statement for an existing CVE, cross-posting unrelated issues is not really helpful.
   
   @kinow Thanks


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-text] kinow commented on a diff in pull request #374: Add statement about CVE-2022-42889 to frontpage

Posted by GitBox <gi...@apache.org>.

kinow commented on code in PR #374:
URL: https://github.com/apache/commons-text/pull/374#discussion_r998185782


##########
src/site/xdoc/index.xml:
##########
@@ -41,6 +41,41 @@ The <a href="scm.html">Git repository</a> can be
 </p>
 </section>
 <!-- ================================================== -->
+<section name="Security">
+  <subsection name="CVE-2022-42889 prior to 1.10.0, RCE when applied to untrusted input">
+    <p>
+    On 2022-10-13, the Apache Commons Text team disclosed <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889">CVE-2022-42889</a>. Key takeaways:
+    <ul>
+      <li>If you rely on software that uses a version of commons-text prior to 1.10.0, you are likely still not vulnerable: only if this software uses the <code>StringSubstitutor</code> API without propery sanitizing any untrusted input.</li>
+      <li>If your own software that uses commons-text, double-check whether it uses the <code>StringSubstitutor</code> API without propery sanitizing any untrusted input. If so, an update to 1.10.0 could be a quick workaround, but the recommended solution is to also properly validate and sanitize any untrusted input.</li>

Review Comment:
   Your own software uses? Or you own software.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-text] raboof commented on pull request #374: Add statement about CVE-2022-42889 to frontpage

Posted by GitBox <gi...@apache.org>.

raboof commented on PR #374:
URL: https://github.com/apache/commons-text/pull/374#issuecomment-1282360575

   Thanks for the review, dropped the extra 'that'


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-text] jvz commented on a diff in pull request #374: Add statement about CVE-2022-42889 to frontpage

Posted by GitBox <gi...@apache.org>.

jvz commented on code in PR #374:
URL: https://github.com/apache/commons-text/pull/374#discussion_r998317157


##########
src/site/xdoc/index.xml:
##########
@@ -41,6 +41,41 @@ The <a href="scm.html">Git repository</a> can be
 </p>
 </section>
 <!-- ================================================== -->
+<section name="Security">
+  <subsection name="CVE-2022-42889 prior to 1.10.0, RCE when applied to untrusted input">
+    <p>
+    On 2022-10-13, the Apache Commons Text team disclosed <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889">CVE-2022-42889</a>. Key takeaways:
+    <ul>
+      <li>If you rely on software that uses a version of commons-text prior to 1.10.0, you are likely still not vulnerable: only if this software uses the <code>StringSubstitutor</code> API without propery sanitizing any untrusted input.</li>
+      <li>If your own software uses commons-text, double-check whether it uses the <code>StringSubstitutor</code> API without propery sanitizing any untrusted input. If so, an update to 1.10.0 could be a quick workaround, but the recommended solution is to also properly validate and sanitize any untrusted input.</li>
+    </ul>
+    </p>
+    <p>
+    Apache Commons Text is a low-level library for performing various text operations, such as escaping, calculating string differences, and substituting placeholders in the text with values looked up through interpolators. When using the string substitution feature, some of the available interpolators can trigger network access or code execution. This is intended, but it also means an application that includes user input in the string passed to the substitution without properly sanitizing it would allow an attacker to trigger those interpolators.
+    </p>
+    <p>For that reason the Apache Commons Text team have decided to update the configuration to be more "secure by default", so that the impact of a failure to validate inputs is mitigated and will not give an attacker access to these interpolators. However, it is still recommended that users treat untrusted input with care.
+    </p>
+    <p>
+    We're not currently aware of any applications that pass untrusted input to the substitutor and thus would have been impacted by this problem prior to Apache Commons Text 1.10.0.
+    </p>
+    <p>
+    This issue is different from <a href="https://logging.apache.org/log4j/2.x/security.html">Log4Shell (CVE-2021-44228)</a> because in Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input. In the Apache Common Text issue, the relevant method is explicitly intended and clearly documented to perform string interpolation, so it is much less likely that applications would inadvertently pass in untrusted input without proper validation.

Review Comment:
   ```suggestion
       This issue is different from <a href="https://logging.apache.org/log4j/2.x/security.html#log4j-2.15.0">Log4Shell (CVE-2021-44228)</a> because in Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input. In the Apache Common Text issue, the relevant method is explicitly intended and clearly documented to perform string interpolation, so it is much less likely that applications would inadvertently pass in untrusted input without proper validation.
   ```
   
   More direct link to the specific CVE mentioned.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-text] garydgregory commented on pull request #374: Add statement about CVE-2022-42889 to frontpage

Posted by GitBox <gi...@apache.org>.

garydgregory commented on PR #374:
URL: https://github.com/apache/commons-text/pull/374#issuecomment-1283359588

   I updated the security page https://commons.apache.org/proper/commons-text/security.html
   I think we can close this PR IMO


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-text] raboof closed pull request #374: Add statement about CVE-2022-42889 to frontpage

Posted by GitBox <gi...@apache.org>.

raboof closed pull request #374: Add statement about CVE-2022-42889 to frontpage
URL: https://github.com/apache/commons-text/pull/374


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-text] jvz commented on a diff in pull request #374: Add statement about CVE-2022-42889 to frontpage

Posted by GitBox <gi...@apache.org>.

jvz commented on code in PR #374:
URL: https://github.com/apache/commons-text/pull/374#discussion_r998314429


##########
src/site/xdoc/index.xml:
##########
@@ -41,6 +41,41 @@ The <a href="scm.html">Git repository</a> can be
 </p>
 </section>
 <!-- ================================================== -->
+<section name="Security">
+  <subsection name="CVE-2022-42889 prior to 1.10.0, RCE when applied to untrusted input">
+    <p>
+    On 2022-10-13, the Apache Commons Text team disclosed <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889">CVE-2022-42889</a>. Key takeaways:
+    <ul>
+      <li>If you rely on software that uses a version of commons-text prior to 1.10.0, you are likely still not vulnerable: only if this software uses the <code>StringSubstitutor</code> API without propery sanitizing any untrusted input.</li>
+      <li>If your own software uses commons-text, double-check whether it uses the <code>StringSubstitutor</code> API without propery sanitizing any untrusted input. If so, an update to 1.10.0 could be a quick workaround, but the recommended solution is to also properly validate and sanitize any untrusted input.</li>

Review Comment:
   ```suggestion
         <li>If your own software uses commons-text, double-check whether it uses the <code>StringSubstitutor</code> API without properly sanitizing any untrusted input. If so, an update to 1.10.0 could be a quick workaround, but the recommended solution is to also properly validate and sanitize any untrusted input.</li>
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org