Apache Common Configuration Bug Patched

Researches discovered a bug alike Log4j tracked as CVE-2022-33980, in the Apache Commons Configuration toolkit.

Apache Commons is another Apache project that provides numerous Java utilities that provide a wide range of handy programming toolkits.

One of these is Commons Configuration, which lets Java apps work with configuration files of a wide range of different formats, including XML, INI, plist, and many more.

The Commons Configuration software library provides a generic configuration interface which enables a Java application to read configuration data from a variety of sources.

Inplace of text, the following special “reprocessing” takes place, referred to rather confusingly in the jargon as interpolation:

• $(script:STRING) runs STRING as a Java script and uses the output of that code.
• $(dns:STRING) looks up STRING using DNS.
• $(url:STRING) reads the URL STRING and retrieves the text to use from there.

These are used to run malicious code, leak data via DNS lookups, or fetch configuration settings from a rogue website.

This bug was introduced in version 2.4 (released in late 2018) and patched in version 2.8.0 (released 2022-07-05,this week).

All updates going back to version 2.2 in 2017 are listed as “minor releases”, updating from any of the vulnerable versions 2.4, 2.5, 2.6 or 2.7 to the latest version ought to be uncontroversial.

Below commands can be used to check the version if vulnerable

On Linux/Unix:

$ find / -type f -name 'commons-configuration2-*.jar'

On Windows:

> DIR C:\commons-configuration2-*.jar /S

Vulnerable versions have the names:

commons-configuration2-2.4.jar
commons-configuration2-2.5.jar
commons-configuration2-2.6.jar
commons-configuration2-2.7.jar

Earlier or later versions don’t have the bug.

The latest version :

commons-configuration2-2.8.0.jar

It’s recommended to update as soon as possible if vulnerability found.

Reference: Sophos