GHSL-2022-017: Arbitrary command execution through Apache Commons Configuration - CVE-2022-33980

Coordinated Disclosure Timeline

• 2022-03-09: Issue reported to security@commons.apache.org
• 2022-03-25: Apache Commons security team acknowledged receiving the report
• 2022-05-27: GHSL requested an status update
• 2022-05-27: Apache Commons security team notifies they are working on disabling the script interpolation by default
• 2022-07-04: Apache Commons security team notifies about the new version 2.8.0 containing the fix

Summary

Attackers able to control a configuration file or property may be able to run arbitrary system commands

Product

Apache Commons Configuration

Tested Version

2.7

Details

Issue: Unsafe script evaluation (GHSL-2022-017)

By default, Commons Configuration performs variable interpolation that allows properties to be dynamically evaluated and expanded. The general syntax of a variable name is ${prefix:name}. The prefix tells Commons Configuration that the variable is to be evaluated in a certain context. If the prefix is missing, the context is the current configuration instance. If a prefix is provided, then it will be used to look for the matching Lookup class that will resolve the variable. Commons Configuration uses Commons Text StringSubstitutor with the default set of interpolation lookups under the hood. On of the default available lookups is the ScriptStringLookup which uses javax.script package to run scripts (eg: Javascript, Groovy, …). An attacker can provide a configuration property such as ${script:javascript:java.lang.Runtime.getRuntime().exec()} to run arbitrary system commands when the property is retrieved.

PoC

Create a properties files such as:

database.user = ${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}

Load the database.user property:

Parameters params = new Parameters();
File propertiesFile = new File("config.properties");
FileBasedConfigurationBuilder<FileBasedConfiguration> builder = new FileBasedConfigurationBuilder<FileBasedConfiguration>(PropertiesConfiguration.class)
    .configure(params.fileBased()
    .setFile(propertiesFile));
FileBasedConfiguration config = builder.getConfiguration();
config.getString("database.user");

A file called /tmp/foo should have been created.

Reasons to report

This issue may be considered a feature, however, we think it is a vulnerability for the following reasons:

1. In the past CVE-2020-1953 was issued with CVSS 10. This vulnerability is similar to the one being reported since loading untrusted configuration files may lead to remote code execution (RCE).
2. Official documentation does not mention the script interpolation and the related risk so users may not be aware of it. It does, however, mention the const, sys, and env interpolations.
3. Official documentation documents ExprLookup which is similar to ScriptStringLookup in that they can both lead to RCE but in this case, the dangerous lookup is an opt-in lookup and, therefore, not enabled by default (probably because of the security implications although it is not mentioned explicitly).
4. An attacker does not need to control the whole configuration file, untrusted data flowing to Configuration.addProperty or Configuration.setProperty will also lead to RCE if those properties are later read.
5. Some configurations such as the ServletRequestConfiguration are intrinsically insecure since they will always contain user-controlled properties.

Impact

This issue may lead to Remote Code Execution

CVE

• CVE-2022-33980

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-017 in any communication regarding this issue.