Apache OpenNLP ExtensionLoader Arbitrary Class Instantiation Vulnerability

A vulnerability exists in the Apache OpenNLP ExtensionLoader component, specifically in versions prior to 2.5.9 and 3.0.0-M3. The issue arises in the 'instantiateExtension' method, which loads classes by their fully-qualified names from the 'manifest.properties' entry of model archives. Although the method includes a type check to ensure classes are subtypes of expected interfaces, this check occurs after the class has been loaded and initialized. As a result, an attacker can supply a manipulated model archive to execute the static initializer of any class on the classpath, potentially leading to exploitation if the class performs useful actions during initialization, such as JNDI lookups or network requests. This vulnerability is not a straightforward remote code execution but poses a risk as third-party model distribution becomes more prevalent. Additionally, deployments that include legitimate subclasses of 'BaseToolFactory' or 'ArtifactSerializer' with side-effecting constructors are also vulnerable, as a malicious manifest can be used to trigger the execution of such classes' constructors during model loading.

Impact

Exploitation of this vulnerability allows for arbitrary class instantiation, with the potential execution of attacker-controlled code in the static initializer of the instantiated class, if such a class is present on the classpath.

Remediation

Users of Apache OpenNLP 2.x should upgrade to version 2.5.9, and users of Apache OpenNLP 3.x should upgrade to version 3.0.0-M3. After upgrading, deployments that load models referencing factories or serializers outside the 'opennlp.*' package must opt those packages in, either programmatically or by setting the 'OPENNLP_EXT_ALLOWED_PACKAGES' system property. For users unable to upgrade immediately, it is recommended to source model files from trusted origins and audit the classpath for classes with side-effecting static initializers or constructors.