Closed flyingcircle closed 1 year ago
I tired replacing the the commons-text-1.8.jar
within /opt/mirthconnect/client-lib/`` /opt/mirthconnect/manager-lib/
and /opt/mirthconnect/server-lib/commons/
with 1.10 from https://commons.apache.org/proper/commons-text/download_text.cgi and got the following error:
org/apache/commons/text/lookup/StringLookupFactory
at org.apache.commons.configuration2.interpol.DefaultLookups.<clinit>(DefaultLookups.java:67)
at org.apache.commons.configuration2.interpol.ConfigurationInterpolator.<clinit>(ConfigurationInterpolator.java:111)
at org.apache.commons.configuration2.convert.DefaultConversionHandler.<clinit>(DefaultConversionHandler.java:72)
at org.apache.commons.configuration2.beanutils.DefaultBeanFactory.<init>(DefaultBeanFactory.java:84)
at org.apache.commons.configuration2.beanutils.DefaultBeanFactory.<init>(DefaultBeanFactory.java:71)
at org.apache.commons.configuration2.beanutils.DefaultBeanFactory.<clinit>(DefaultBeanFactory.java:56)
at org.apache.commons.configuration2.beanutils.BeanHelper.<init>(BeanHelper.java:118)
at org.apache.commons.configuration2.beanutils.BeanHelper.<init>(BeanHelper.java:106)
at org.apache.commons.configuration2.beanutils.BeanHelper.<clinit>(BeanHelper.java:80)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at com.sun.proxy.$Proxy0.<clinit>(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:739)
at org.apache.commons.configuration2.builder.fluent.Parameters.createParametersProxy(Parameters.java:306)
at org.apache.commons.configuration2.builder.fluent.Parameters.properties(Parameters.java:245)
at com.mirth.connect.client.core.PropertiesConfigurationUtil.getDefaultParameters(PropertiesConfigurationUtil.java:91)
at com.mirth.connect.client.core.PropertiesConfigurationUtil.createBuilder(PropertiesConfigurationUtil.java:32)
at com.mirth.connect.client.core.PropertiesConfigurationUtil.create(PropertiesConfigurationUtil.java:44)
at com.mirth.connect.server.Mirth.<init>(Mirth.java:77)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.lang.Class.newInstance(Class.java:442)
at com.mirth.connect.server.launcher.MirthLauncher.main(MirthLauncher.java:108)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.exe4j.runtime.LauncherEngine.launch(LauncherEngine.java:85)
at com.install4j.runtime.launcher.UnixLauncher.main(UnixLauncher.java:62)
Caused by: java.lang.ClassNotFoundException: org.apache.commons.text.lookup.StringLookupFactory
I then tried to update the commons-configuration2-2.7.jar
with 2.8 from https://commons.apache.org/proper/commons-configuration/download_configuration.cgi and got a similar error:
org.apache.commons.configuration2.ex.ConfigurationRuntimeException: java.lang.ClassNotFoundException: org.apache.commons.configuration2.PropertiesConfiguration
at org.apache.commons.configuration2.beanutils.BeanHelper.fetchBeanClass(BeanHelper.java:427)
at org.apache.commons.configuration2.beanutils.BeanHelper.createBeanCreationContext(BeanHelper.java:475)
at org.apache.commons.configuration2.beanutils.BeanHelper.createBean(BeanHelper.java:353)
at org.apache.commons.configuration2.beanutils.BeanHelper.createBean(BeanHelper.java:371)
at org.apache.commons.configuration2.beanutils.BeanHelper.createBean(BeanHelper.java:383)
at org.apache.commons.configuration2.builder.BasicConfigurationBuilder.createResultInstance(BasicConfigurationBuilder.java:361)
at org.apache.commons.configuration2.builder.BasicConfigurationBuilder.createResult(BasicConfigurationBuilder.java:338)
at org.apache.commons.configuration2.builder.BasicConfigurationBuilder.getConfiguration(BasicConfigurationBuilder.java:234)
at com.mirth.connect.client.core.PropertiesConfigurationUtil.create(PropertiesConfigurationUtil.java:44)
at com.mirth.connect.server.Mirth.<init>(Mirth.java:77)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.lang.Class.newInstance(Class.java:442)
at com.mirth.connect.server.launcher.MirthLauncher.main(MirthLauncher.java:108)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.exe4j.runtime.LauncherEngine.launch(LauncherEngine.java:85)
at com.install4j.runtime.launcher.UnixLauncher.main(UnixLauncher.java:62)
Caused by: java.lang.ClassNotFoundException: org.apache.commons.configuration2.PropertiesConfiguration
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at org.apache.commons.lang3.ClassUtils.getClass(ClassUtils.java:993)
at org.apache.commons.lang3.ClassUtils.getClass(ClassUtils.java:1059)
at org.apache.commons.lang3.ClassUtils.getClass(ClassUtils.java:1042)
at org.apache.commons.configuration2.beanutils.BeanHelper.loadClass(BeanHelper.java:396)
at org.apache.commons.configuration2.beanutils.BeanHelper.fetchBeanClass(BeanHelper.java:425)
... 21 more
I'm on version 3.10.1, CentOS 7
@RunnenLate Try renaming the 1.10 jar to commons-text-1.8.jar
.
https://github.com/nextgenhealthcare/connect/blob/442b0895ab988071a294b5fda68b59474a4de8b7/server/build.xml#L1025
The 1.8 jar is specified in the mirth-launcher manifest so that it gets loaded earlier than stuff in server-lib would otherwise load. Same thing with commons-configuration2-2.7.jar
.
Comment from NextGen - https://mirthconnect.slack.com/archives/C02SW0K4D/p1666214700982649?thread_ts=1666196138.152159&cid=C02SW0K4D
I had narupley review the CVE and he has determined that we are not affected by this since we do not use the StringSubstituter API. Therefore, at this time we do not plan to update for 4.2.0. When Travis West gets back we will review it and determine when it makes sense to make this change.
Followup from NextGen - https://mirthconnect.slack.com/archives/C02SW0K4D/p1666712320028559?thread_ts=1666196138.152159&cid=C02SW0K4D
The dev team (led by narupley) was able to find some time to pull this work in, so the update for Apache Commons-text will be in our 4.2.0 release.
That's great! I think up to on date libs will be a much more important topic in production environments in the future.
Describe the security issue CVE-2022-42889
Vulnerability Location The function is not used, but would be wise to update to prevent any usage of this function in the future.
Environment (please complete the following information if it is applicable to the issue) N/A
Suggested remediation The issue causing the bug is turned off by default in commons-text 1.10.0