Vulnerability In Apache Commons Text Library

On Tuesday 13 October 2022, a vulnerability was identified in the Apache Commons Text library [1]. This vulnerability allows attackers to remotely execute arbitrary code on servers running applications that use this library. Given the widespread use of this library, we inform you about this vulnerability in this Threat Response. This vulnerability is registered under the CVE number: CVE-2022-42889 and is also known as “Text4Shell”.

Today on 18 October 2022, the Dutch National Cyber Security Center (NCSC) published a security advisory [2] assessing the impact and risk of this vulnerability. The situation surrounding the vulnerability is currently evolving. The NCSC currently does not observe any active exploitation of the vulnerability. In this Threat Response, we explain the nature of the vulnerability, the NCSC’s current estimated impact and what you can do to prevent exploitation.

Description

On 13 October 2022, the vulnerability with CVE number: CVE-2022-42889 was disclosed by Apache. The vulnerability concerns the Apache Commons Text library. This is a generic text manipulation library. The vulnerability affects versions 1.5 to 1.9. This vulnerability shows similarities to the Log4Shell vulnerability in Apache Log4J, however there are circumstances that make successful exploitation more difficult. The exact circumstances for successful exploitation are currently unknown.

On 18 October 2022, the NCSC estimated the impact and risk of this vulnerability. The vulnerability resides in the functionality that handles text interpolation, namely “StringSubstitutor”. This is a function that converts variables in text into their corresponding values. Research has shown that three filters can be abused: “script”, “dns” and “url”. Proof-of-concept code is available on the Internet that can be used to exploit this vulnerability.

Impact

Successful exploitation of vulnerability CVE-2022-42889 could lead to the execution of arbitrary code resulting in taking over the server on which the application runs. The NCSC therefore estimates impact of vulnerability as high.

Risk

Currently, versions of Apache Commons Text 1.5 to 1.9 are known to be vulnerable, in combination with all versions of JDK. JDK versions above 15 have the “StringSubstitutor” function disabled by default. However, if “StringSubstitutor” is used, Apache Commons Text still remains vulnerable. The NCSC currently does not report that the vulnerability is exploited in practice. However, exploit-code is publicly available. Therefore, the NCSC rates the risk as high.

Mitigation

To mitigate the vulnerability, version 1.10 is available for Apache Commons Text. Versions of JDK above version 15 have the “StringSubstitutor” function disabled by default, so the default installation is not vulnerable. However, when this function is used, all versions above JDK 15 are also vulnerable.

What should you do?

We recommend identifying whether any systems are using the Apache Commons Text library and updating it to 1.10 if the current version is among the vulnerable versions.

What will Northwave do?

Northwave is investigating the possibility of detecting the vulnerability for customers with monitoring in place.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.

Sources

[1]: https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/

[2]: https://www.ncsc.nl/actueel/advisory?id=NCSC-2022-0650

Disclaimer