Vulnerability In Apache Commons Text Library
Date: 18-09-2022
On Tuesday 13 October 2022, a vulnerability was identified in the Apache Commons Text library [1]. This vulnerability allows attackers to remotely execute arbitrary code on servers running applications that use this library. Given the widespread use of this library, we inform you about this vulnerability in this Threat Response. This vulnerability is registered under the CVE number: CVE-2022-42889 and is also known as “Text4Shell”.
Today on 18 October 2022, the Dutch National Cyber Security Center (NCSC) published a security advisory [2] assessing the impact and risk of this vulnerability. The situation surrounding the vulnerability is currently evolving. The NCSC currently does not observe any active exploitation of the vulnerability. In this Threat Response, we explain the nature of the vulnerability, the NCSC’s current estimated impact and what you can do to prevent exploitation.
Description
On 13 October 2022, the vulnerability with CVE number: CVE-2022-42889 was disclosed by Apache. The vulnerability concerns the Apache Commons Text library. This is a generic text manipulation library. The vulnerability affects versions 1.5 to 1.9. This vulnerability shows similarities to the Log4Shell vulnerability in Apache Log4J, however there are circumstances that make successful exploitation more difficult. The exact circumstances for successful exploitation are currently unknown.
On 18 October 2022, the NCSC estimated the impact and risk of this vulnerability. The vulnerability resides in the functionality that handles text interpolation, namely “StringSubstitutor”. This is a function that converts variables in text into their corresponding values. Research has shown that three filters can be abused: “script”, “dns” and “url”. Proof-of-concept code is available on the Internet that can be used to exploit this vulnerability.
Impact
Successful exploitation of vulnerability CVE-2022-42889 could lead to the execution of arbitrary code resulting in taking over the server on which the application runs. The NCSC therefore estimates impact of vulnerability as high.
Risk
Currently, versions of Apache Commons Text 1.5 to 1.9 are known to be vulnerable, in combination with all versions of JDK. JDK versions above 15 have the “StringSubstitutor” function disabled by default. However, if “StringSubstitutor” is used, Apache Commons Text still remains vulnerable. The NCSC currently does not report that the vulnerability is exploited in practice. However, exploit-code is publicly available. Therefore, the NCSC rates the risk as high.
Mitigation
To mitigate the vulnerability, version 1.10 is available for Apache Commons Text. Versions of JDK above version 15 have the “StringSubstitutor” function disabled by default, so the default installation is not vulnerable. However, when this function is used, all versions above JDK 15 are also vulnerable.
What should you do?
We recommend identifying whether any systems are using the Apache Commons Text library and updating it to 1.10 if the current version is among the vulnerable versions.
What will Northwave do?
Northwave is investigating the possibility of detecting the vulnerability for customers with monitoring in place.
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
Sources
[1]: https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/
[2]: https://www.ncsc.nl/actueel/advisory?id=NCSC-2022-0650
Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.