Apache Commons logo Commons Configuration

Security Vulnerabilities

For information about reporting or asking questions about security, please see the security page of the Apache Commons project.

This page lists all security vulnerabilities fixed in released versions of this component.

Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the component version that you are using.

If you need help on building this component or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public user mailing list.

If you have encountered an unlisted security vulnerability or other unexpected behavior that has security impact, or if the descriptions here are incomplete, please report them privately to the Apache Security Team. Thank you.

CVE-2022-33980 prior to 2.8.0, RCE when applied to untrusted input

On 2022-07-06, the Apache Commons Configuration team disclosed CVE-2022-33980 . Key takeaways:

  • If you rely on software that uses a version of commons-configuration prior to 2.8.0, you are likely still not vulnerable: only if this software loads configuration files from untrusted sources, which is likely rare.
  • If your own software uses commons-configuration, double-check whether it loads configuration files from untrusted sources. If so, an update to 2.8.0 could be a quick workaround, but the recommended solution is to also properly validate and sanitize the untrusted input.

Apache Commons Configuration is a library to read configuration data from a variety of sources. It supports variable interpolation with lookups using various mechanisms, such as system properties or environment variables. Some of the available interpolators can trigger network access or code execution. This is intended, but it also means an application that includes user input in the configuration passed to Commons Configuration without properly sanitizing it would allow an attacker to trigger those interpolators.

For that reason the Apache Commons Configuration team have decided to update the list of interpolators that are enabled by default to be more conservative, so that the impact of a failure to validate inputs is mitigated and will not give an attacker access to these interpolators. However, it is still recommended that users treat untrusted input with care.

We're not currently aware of any applications that load untrusted input as configuration and thus would have been impacted by this problem prior to Apache Commons Configuration 2.8.0.

This issue is different from Log4Shell (CVE-2021-44228) because in Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input. In the Apache Common Configuration issue, the processed configuration data is much less likely to come from an untrusted source.

Credit: this issue was reported by @pwntester (Alvaro Muñoz) of the GitHub Security Lab team . Thank you!

References: