On October 17, 2022, Researcher Alvaro Munoz discovered a vulnerability in the Apache Commons Text. The vulnerability, CVE-2022-42889, is a CVSSv3 9.8 and is present in Apache Common Text 1.5 through 1.9. Proof-of-Concept code walking through the vulnerability is already available.
Some groups are referring to this vulnerability as Text4Shell or Act4Shell, due to its similarity to the Log4Shell bugs that popped up in Apache Log4j in 2021. Both vulnerabilities can be found in widely utilized open-source libraries, making them both highly relevant and difficult to remedy.
The one mitigating factor here is that Apache Commons Text is rarely used by applications to process untrusted, potentially malicious inputs. For that reason, we expect the vulnerability to be less prevalent than Log4Shell, though Text4Shell highlights the underlying risk of depending on open-source libraries maintained by just a few people.
Apache released an updated version (1.10.0) on September 24 to fix the vulnerability present since 2018 and followed up with the advisory flaw on Thursday, Oct 13. The vulnerability is in how Apache Common Text executes variable interpolation.
According to the advisory, “Starting with version 1.5 and continuing through 1.9, the set of default lookup instances included interpolations that could result in arbitrary code execution or contact with remote servers.”
How Text4Shell or Act4Shell can give attackers an edge?
The vulnerability could lead to the acceptance of untrusted input from remote attackers, like a DNS request, URLs, or inline scripts being executed. This all can lead to arbitrary code execution, or ACE.
ACE is similar to remote code execution and can lead to the attacker gaining access to an application or the system. This can allow the attacker to access and inject additional code or instructions into the underlying device’s commands or processes.
ACEs can also often lead to sensitive data access for exfiltration or utilization in further attacks within the target system and adjacent systems. Attackers could also disrupt or crash the service or host device by executing destructive commands.
The most common outcome of ACE attacks over the past few years however is ransomware or cryptomining. ACEs can easily be used to take over the system allowing for a monetizable event for the attacker.
How to fix Apache Commons Text Vulnerability - CVE-2022-42889
Apache Commons Text users should upgrade immediately to the newest version, 1.10.0. Keep an eye out for third-party vendor patches as well, if their products were impacted, patches should be released in the coming days and weeks that you’ll want to apply promptly to reduce the potential attack surface.
Start your free trial now.
Get started with Automox in no time.
By submitting this form you agree to our Master Services Agreement and Privacy Policy