search

nextgenhealthcare / connect

The swiss army knife of healthcare integration.
Other
915 stars 275 forks source link

[SECURITY] commons-text arbitrary code execution #5474

Closed flyingcircle closed 1 year ago

flyingcircle commented 1 year ago

Describe the security issue CVE-2022-42889

Vulnerability Location The function is not used, but would be wise to update to prevent any usage of this function in the future.

Environment (please complete the following information if it is applicable to the issue) N/A

Suggested remediation The issue causing the bug is turned off by default in commons-text 1.10.0

RunnenLate commented 1 year ago

I tired replacing the the commons-text-1.8.jar within /opt/mirthconnect/client-lib/`` /opt/mirthconnect/manager-lib/ and /opt/mirthconnect/server-lib/commons/ with 1.10 from https://commons.apache.org/proper/commons-text/download_text.cgi and got the following error: 

org/apache/commons/text/lookup/StringLookupFactory
        at org.apache.commons.configuration2.interpol.DefaultLookups.<clinit>(DefaultLookups.java:67)
        at org.apache.commons.configuration2.interpol.ConfigurationInterpolator.<clinit>(ConfigurationInterpolator.java:111)
        at org.apache.commons.configuration2.convert.DefaultConversionHandler.<clinit>(DefaultConversionHandler.java:72)
        at org.apache.commons.configuration2.beanutils.DefaultBeanFactory.<init>(DefaultBeanFactory.java:84)
        at org.apache.commons.configuration2.beanutils.DefaultBeanFactory.<init>(DefaultBeanFactory.java:71)
        at org.apache.commons.configuration2.beanutils.DefaultBeanFactory.<clinit>(DefaultBeanFactory.java:56)
        at org.apache.commons.configuration2.beanutils.BeanHelper.<init>(BeanHelper.java:118)
        at org.apache.commons.configuration2.beanutils.BeanHelper.<init>(BeanHelper.java:106)
        at org.apache.commons.configuration2.beanutils.BeanHelper.<clinit>(BeanHelper.java:80)
        at java.lang.Class.forName0(Native Method)
        at java.lang.Class.forName(Class.java:264)
        at com.sun.proxy.$Proxy0.<clinit>(Unknown Source)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:739)
        at org.apache.commons.configuration2.builder.fluent.Parameters.createParametersProxy(Parameters.java:306)
        at org.apache.commons.configuration2.builder.fluent.Parameters.properties(Parameters.java:245)
        at com.mirth.connect.client.core.PropertiesConfigurationUtil.getDefaultParameters(PropertiesConfigurationUtil.java:91)
        at com.mirth.connect.client.core.PropertiesConfigurationUtil.createBuilder(PropertiesConfigurationUtil.java:32)
        at com.mirth.connect.client.core.PropertiesConfigurationUtil.create(PropertiesConfigurationUtil.java:44)
        at com.mirth.connect.server.Mirth.<init>(Mirth.java:77)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at java.lang.Class.newInstance(Class.java:442)
        at com.mirth.connect.server.launcher.MirthLauncher.main(MirthLauncher.java:108)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.exe4j.runtime.LauncherEngine.launch(LauncherEngine.java:85)
        at com.install4j.runtime.launcher.UnixLauncher.main(UnixLauncher.java:62)
Caused by: java.lang.ClassNotFoundException: org.apache.commons.text.lookup.StringLookupFactory

I then tried to update the commons-configuration2-2.7.jar with 2.8 from https://commons.apache.org/proper/commons-configuration/download_configuration.cgi and got a similar error: 

org.apache.commons.configuration2.ex.ConfigurationRuntimeException: java.lang.ClassNotFoundException: org.apache.commons.configuration2.PropertiesConfiguration
        at org.apache.commons.configuration2.beanutils.BeanHelper.fetchBeanClass(BeanHelper.java:427)
        at org.apache.commons.configuration2.beanutils.BeanHelper.createBeanCreationContext(BeanHelper.java:475)
        at org.apache.commons.configuration2.beanutils.BeanHelper.createBean(BeanHelper.java:353)
        at org.apache.commons.configuration2.beanutils.BeanHelper.createBean(BeanHelper.java:371)
        at org.apache.commons.configuration2.beanutils.BeanHelper.createBean(BeanHelper.java:383)
        at org.apache.commons.configuration2.builder.BasicConfigurationBuilder.createResultInstance(BasicConfigurationBuilder.java:361)
        at org.apache.commons.configuration2.builder.BasicConfigurationBuilder.createResult(BasicConfigurationBuilder.java:338)
        at org.apache.commons.configuration2.builder.BasicConfigurationBuilder.getConfiguration(BasicConfigurationBuilder.java:234)
        at com.mirth.connect.client.core.PropertiesConfigurationUtil.create(PropertiesConfigurationUtil.java:44)
        at com.mirth.connect.server.Mirth.<init>(Mirth.java:77)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at java.lang.Class.newInstance(Class.java:442)
        at com.mirth.connect.server.launcher.MirthLauncher.main(MirthLauncher.java:108)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.exe4j.runtime.LauncherEngine.launch(LauncherEngine.java:85)
        at com.install4j.runtime.launcher.UnixLauncher.main(UnixLauncher.java:62)
Caused by: java.lang.ClassNotFoundException: org.apache.commons.configuration2.PropertiesConfiguration
        at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
        at java.lang.Class.forName0(Native Method)
        at java.lang.Class.forName(Class.java:348)
        at org.apache.commons.lang3.ClassUtils.getClass(ClassUtils.java:993)
        at org.apache.commons.lang3.ClassUtils.getClass(ClassUtils.java:1059)
        at org.apache.commons.lang3.ClassUtils.getClass(ClassUtils.java:1042)
        at org.apache.commons.configuration2.beanutils.BeanHelper.loadClass(BeanHelper.java:396)
        at org.apache.commons.configuration2.beanutils.BeanHelper.fetchBeanClass(BeanHelper.java:425)
        ... 21 more

I'm on version 3.10.1, CentOS 7

tonygermano commented 1 year ago

@RunnenLate Try renaming the 1.10 jar to commons-text-1.8.jar. https://github.com/nextgenhealthcare/connect/blob/442b0895ab988071a294b5fda68b59474a4de8b7/server/build.xml#L1025 The 1.8 jar is specified in the mirth-launcher manifest so that it gets loaded earlier than stuff in server-lib would otherwise load. Same thing with commons-configuration2-2.7.jar.

jonbartels commented 1 year ago

Comment from NextGen - https://mirthconnect.slack.com/archives/C02SW0K4D/p1666214700982649?thread_ts=1666196138.152159&cid=C02SW0K4D

I had narupley review the CVE and he has determined that we are not affected by this since we do not use the StringSubstituter API. Therefore, at this time we do not plan to update for 4.2.0. When Travis West gets back we will review it and determine when it makes sense to make this change.

jonbartels commented 1 year ago

Followup from NextGen - https://mirthconnect.slack.com/archives/C02SW0K4D/p1666712320028559?thread_ts=1666196138.152159&cid=C02SW0K4D

The dev team (led by narupley) was able to find some time to pull this work in, so the update for Apache Commons-text will be in our 4.2.0 release.

NoraTheExplorer commented 1 year ago

That's great! I think up to on date libs will be a much more important topic in production environments in the future.