Apache Commons JXPath Remote Code Execution Vulnerability (CVE-2022-41852)

Oct 13, 2022 GMT+08:00

I. Overview

Recently, it has been disclosed that Apache Commons JXPath has a remote code execution vulnerability (CVE-2022-41852). Users using JXPath to interpret untrusted XPath expressions may be vulnerable to a remote code execution attack. If XPath expressions have externally controllable input, the vulnerability is easy to be exploited. Currently, the vulnerability POC has been disclosed, and the risk is high.

Commons JXPath is a Java library and is an implementation of XPath based on the Java language. If you are an Apache Commons JXPath user, check your system and implement timely security hardening.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-41852

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Commons JXPath <= 1.3

Secure versions: none (end of support)

IV. Vulnerability Handling

Troubleshooting

1. Check whether you are using the affected Commons JXPath versions.

2. If yes, check whether the JXPathContext.getValue()function exists and whether the XPath rules allow externally controllable input. If yes, your Commons JXPath is affected.

Workaround

1. The affected components have reached the end of support. You are advised to replace them with other components that have equivalent functions.

2. Strictly filter the input of the XPath expression. Do not set the input to be externally controllable unless necessary.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.