cbcvebase.
CVE-2022-42889
published 2022-10-13

CVE-2022-42889: Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
99.93%
100.0th percentile
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Affected

15 ranges
VendorProductVersion rangeFixed in
apachecommons_text>= 1.5 < 1.10.01.10.0
apache_software_foundationapache_commons_text>= 1.5 < Apache Commons Text*Apache Commons Text*
apache_software_foundationapache_commons_textunspecified – 1.9
debiancommons-text< commons-text 1.10.0-1 (bookworm)commons-text 1.10.0-1 (bookworm)
junipersecurity_threat_response_manager< 7.5.07.5.0
junipersecurity_threat_response_manager
paloaltocortex_data
paloaltocortex_xdr
paloaltocortex_xpanse
paloaltocortex_xsoar
paloaltoglobalprotect
paloaltopan-os
paloaltoprisma_access
paloaltoprisma_cloud
paloaltoprisma_sd

Detection & IOCsextracted from sources · hover to see the quote

command${script:js:java.lang.Runtime.getRuntime().exec("mkdir /home/ThreatLabZ")}
command${script:js:java.lang.Runtime.getRuntime().exec("cat /etc/passwd")}
command${url:URL}
command${dns:D_name}
  • Detect the interpolation payload pattern '${script:...}', '${dns:...}', or '${url:...}' in HTTP request parameters or body — these are the three dangerous lookup prefixes exploited in CVE-2022-42889.
  • Zscaler IPS signature 'Apache.Exploit.CVE-2022-42889' can be used for network-level detection of exploit attempts.
  • Zscaler rule ID 944130 (Suspicious Java Class Detected) covers deserialization-based exploitation attempts related to this CVE.
  • Zscaler rule ID 932130 (Unix Shell Expression Found) covers RCE payload detection for this CVE.
  • The standard exploit payload format is '${prefix:name}' — monitor application inputs and logs for this interpolation pattern, especially with prefixes 'script', 'dns', and 'url'.
  • ·Affected versions are strictly 1.5 through 1.9; version 1.10.0 disables the dangerous interpolators by default and is the recommended fix.
  • ·This CVE is considered less broadly exploitable than Log4Shell because the Apache Commons Text package and the StringSubstitutor interpolator are not widely used in production environments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.