Apache “Commons Configuration” patches Log4Shell-style bug – what you need to know

2022-07-08 18:59

Well, the bug CVE-2022-33980, which doesn't have a catchy name yet, is a very similar sort of blunder in the Apache Commons Configuration toolkit.

The name's quite a mouthful: Apache Commons is another Apache project that provides numerous Java utilities that provide a wide range of handy programming toolkits.

One of these is Commons Configuration, which lets Java apps work with configuration files of a wide range of different formats, including XML, INI, plist, and many more.

As the project itself says, "The Commons Configuration software library provides a generic configuration interface which enables a Java application to read configuration data from a variety of sources."

According to the Commons Configuration team, this "Interpolation" bug was introduced in version 2.4 and patched in version 2.8.0.

If you have any Java software that uses the Apache Commons Configuration library, update as soon as you can!

News URL

https://nakedsecurity.sophos.com/2022/07/08/apache-commons-configuration-toolkit-patches-log4shell-like-bug/

#apache #log4shell #CVE-2022-33980

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2022-07-06	CVE-2022-33980	Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. network low complexity apache netapp debian critical	9.8

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Apache		295	58	834	627	289	1808