Recently, a remote code execution flaw in the Apache Common Text library stirred up the news world as people thought of it as the next Log4Shell. However, researchers confirm this isn’t the case, though users should still patch their systems to avoid exploit.
Apache Commons Text Library Flaw
The Apache Commons Text Library RCE flaw gained attention when a developer highlighted the in an Apache mailing list. Apache Commons Text is a dedicated open-source Java library focused on algorithms working on strings.
Describing the vulnerability, CVE-2022-42889, the developer stated that with Apache Commons Text version 1.5 and above, a set of default Lookup instances included interpolators that allowed arbitrary code execution and remote server connections. An adversary could send malicious inputs, such as DNS requests or scripts, that the lookup strings could accept and process. As stated:
The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.
Apache Fixed The Vulnerability With Version 1.10
Initially, the vulnerability seemed as severe as the infamous “Log4shell” – a critical vulnerability in Apache Log4j that wreaked havoc last year. That’s because Apache Commons Text is also an open-source library with wide usability.
However, Rapid7 researchers have now assured that the recent issue (dubbed as “Text4Shell”) isn’t as severe. As explained in their post, exploiting the vulnerability isn’t as practical in real time as it sounds.
Besides, while Rapid7 initially considered the flaw not affecting the JDK versions, the researcher Alvaro Muñoz has presented a PoC showing the case otherwise.
Hi Erik, I received some question related to the JDK versions affected by this vulnerability. Can you please update your blog post to make it clear that all JDK versions are vulnerable? Nashorn is effectively not available in modern JDKs but JEXL is pic.twitter.com/rY2J9VEZrX
— Alvaro Muñoz ?? (@pwntester) October 18, 2022
Therefore, the matter deserves attention and vigilance regarding patching the systems since it still risks the security of numerous resources.
The flaw affects Commons Text versions 1.5 to 1.9. Apache has fixed the issue with version 1.10, which disables problematic interpolators. Thus, users should upgrade to this patched version to eliminate any threats associated with a potential Text4shell exploitation.
Let us know your thoughts in the comments.