Apache Commons Text vulnerability
This live blog contains information regarding the Apache Commons Text vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 27, 2022.
T-Update
This live blog contains information regarding the Apache Commons Text vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 27, 2022.
Update October 27, 2022
15:30 | Below is an overview detailing the impact of CVE-2022-42889 on our product portfolio. None of our products are affected by this vulnerability. For the products we use for our managed services no impact has been reported. Those products are not listed in the overview.
Background
On the 13th of October 2022, a vulnerability in Apache Commons Text library was announced on the Apache dev list. Vulnerability CVE-2022-42889, also known as “Text4Shell”, may allow a malicious entity to perform code download or code execution within the context of the application, based on input controlled by the malicious entity.
Risk
Vulnerability CVE-2022-42889 may allow a malicious entity to perform code download or code execution within the context of the application, based on input controlled by the malicious entity. Multiple examples of code demonstrating how the vulnerable feature can be exploited have been published. This increases the chances of exploitation by malicious entities.
While the vulnerability shares similarities with Apache Log4j (Log4Shell), the attack surface of CVE-2022-42889 is more limited due to the specific use of the Apache Commons Text library.
Advice
CVE-2022-42889 affects Apache Commons Text versions 1.5 through 1.9. The vulnerability exists in the StringSubstitutor interpolator object. Using the “script”, “dns”, or “url” lookups would allow a crafted string to execute arbitrary scripts when passed to the interpolator object. To be able to exploit this vulnerability, the malicious entity must control the input of a variable, which is used by the vulnerable feature. Due to the nature of the feature, this is not very likely.
Besides the Apache Commons Text library the JDK versions matters for exploitability. Rapid7 tested their proof-of-concept exploit on different JDK versions, and the following versions are vulnerable:
- JDK version 1.8.0_341
- JDK version 9.0.4
- JDK version 10.0.2
- JDK version 11.0.16.1
- JDK version 12.0.2
- JDK version 13.0.2
- JDK version 14.0.2
Apache has published an update patching the vulnerability. It is strongly advised to upgrade to Apache Commons Text 1.10.0. Additionally, update any products where the vendor indicates their product is vulnerable.
Sources
More information:
- NCSC advisory – https://www.ncsc.nl/actueel/advisory?id=NCSC-2022-0650
- Apache dev list – https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
- Apache feature documentatie – https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/lookup/StringLookupFactory.html
- Rapid7 blog – https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/
Sign up to receive T-Updates
Receive the latest vulnerabilities in your email every Wednesday
More than 1,000 organisations have already joined us.
