Security Vulnerabilities

Security Model

The Apache Commons security model specifies that it is unsafe to pass possibly malicious input to Commons libraries. For Commons Configuration 2.x, the library is designed to support processing untrusted configuration files, without allowing those to trigger arbitrary code execution or denial of service situations. 'Denial of service' here means causing resource usage disproportionate to the input size.

CVE-2022-33980 prior to 2.8.0, RCE when applied to untrusted input

On 2022-07-06, the Apache Commons Configuration team disclosed CVE-2022-33980 . Key takeaways:

• If you rely on software that uses a version of commons-configuration before 2.8.0, you are likely still not vulnerable: only if this software loads configuration files from untrusted sources, which is likely rare.
• If your software uses Commons Configuration, double-check whether it loads configuration files from untrusted sources. If so, an update to 2.8.0 could be a quick workaround, but the recommended solution is to validate and sanitize untrusted input.

Apache Commons Configuration is a library that reads configuration data from many sources. It supports variable interpolation with lookups using various mechanisms, such as system properties or environment variables. Some of the available interpolators can trigger network access or code execution. This is intended, but it also means an application that includes user input in the configuration passed to Commons Configuration without properly sanitizing it would allow an attacker to trigger those interpolators.

For that reason, the Apache Commons Configuration team decided to update the list of interpolators enabled by default to be more conservative, so that the impact of a failure to validate inputs is mitigated and will not give an attacker access to these interpolators. However, it is still recommended that users treat untrusted input with care.

We're not currently aware of any applications that load untrusted input as configuration and thus would have been impacted by this problem before Apache Commons Configuration 2.8.0.

This issue is different from Log4Shell (CVE-2021-44228) because in Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input. In the Apache Common Configuration issue, the processed configuration data is much less likely to come from an untrusted source.

Credit: this issue was reported by @pwntester (Alvaro Muñoz) of the GitHub Security Lab team . Thank you!

References:

• Announcement on dev@commons.apache.org
• Announcement on oss-security
• Advisory on cve.org
• GHSL advisory

CVE-2024-29131 prior to 2.10.1, Out-of-bounds Write vulnerability

On 2024-03-20, the Apache Commons Configuration team disclosed CVE-2024-29131.

This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. Users can see this as a StackOverflowError when adding a property in AbstractListDelimiterHandler.flattenIterator(). Users are recommended to upgrade to version 2.10.1, which fixes the issue. The details are in CONFIGURATION-840.

CVE-2024-29133 prior to 2.10.1, Out-of-bounds Write vulnerability

On 2024-03-20, the Apache Commons Configuration team disclosed CVE-2024-29133.

This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. Users can see this as a StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree. Users are recommended to upgrade to version 2.10.1, which fixes the issue. The details are in CONFIGURATION-841.