Apache Commons Text flaw is not a repeat of Log4Shell (CVE-2022-42889)
A freshly fixed vulnerability (CVE-2022-42889) in the Apache Commons Text library has been getting attention from security researchers these last few days, worrying it could lead to a repeat of the Log4Shell dumpster fire.
But the final verdict shows there’s no need to panic: while the vulnerability is exploitable (and there are proof-of-concept exploits online already), “The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input,” says Rapid7 AI researcher Erick Galinkin.
I fully agree on this btw, hopefully thread demonstrates.
I’d say the thing it demonstrates is the overall problems behind #Log4Shell aren’t solved. Orgs got lucky with this one, and we’re relying on individuals finding and disclosing potentially wide impacting bugs in future. https://t.co/Mx1X27OVpA
— Kevin Beaumont (@GossiTheDog) October 18, 2022
About CVE-2022-42889
CVE-2022-42889, discovered and reported by security researcher Alvaro Muñoz, is a vulnerability in the popular Apache Commons Text library, which is focused on algorithms working on strings.
“Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation,” it has been explained.
“Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers.”
Attackers could send specially crafted payloads using these lookups to Java-based applications with vulnerable versions of the library, and achieve remote code execution.
“Organizations who have direct dependencies on Apache Commons Text should upgrade to the fixed version (1.10.0),” Galinkin advised.
“As with most library vulnerabilities, we will see the usual tail of follow-on vendor advisories with upgrades for products that package vulnerable implementations of the library. We recommend that you install these patches as they become available, and prioritize any where the vendor indicates that their implementation may be remotely exploitable.”
PoCs and a detection tool, but no in-the-wild exploitation
A variety of PoC exploits have been released for CVE-2022-42889, which has informally been dubbed “Act4Shell” and “Text4Shell.”
JFrog researchers have also published a tool that developers can use to check whether their apps contain a vulnerable version of the library or vulnerable functions.
“The Log4J is a widely used Java library and any webserver running the vulnerable version could have been easily exploited while the Common Text library isn’t as prevalent,” says Christopher Budd, Senior Manager, Sophos Threat Research.
“Additionally, Log4J can be exploited with generic code while this new vulnerability likely requires code that is specific and targeted. Finally, most applications will not be passing unsanitized user provided values to the library’s vulnerable functions, reducing or negating the exploitation risks. Sophos X-Ops is not currently seeing the attacks exploiting CVE-2022-42889 in the wild, but will continue monitoring.”
Sophos researcher Paul Ducklin has additional advice for developers.