This live blog contains information regarding the Apache Commons Text vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 27, 2022.
Update October 27, 2022
15:30 | Below is an overview detailing the impact of CVE-2022-42889 on our product portfolio. None of our products are affected by this vulnerability. For the products we use for our managed services no impact has been reported. Those products are not listed in the overview.
| Vendor | Product | Status |
| Compumatica | CompuMail Gateway | Not vulnerable |
| Compumatica | CryptoGuard | Not vulnerable |
| Compumatica | MagiCtwin | Not vulnerable |
| Compumatica | Security Management Station | Not vulnerable |
| Compumatica | CompuCrypt XL | Not vulnerable |
| Tesorion | Immunity | Not vulnerable |
Update October 18, 2022
16:00 | On the 13th of October 2022, a vulnerability in Apache Commons Text library was announced on the Apache dev list. Vulnerability CVE-2022-42889, also known as “Text4Shell”, may allow a malicious entity to perform code download or code execution within the context of the application, based on input controlled by the malicious entity.
While the vulnerability shares similarities with Apache Log4j (Log4Shell), the attack surface of CVE-2022-42889 is more limited due to the specific use of the Apache Commons Text library.
Limited information is currently available. This blog will be updated, if applicable including an overview regarding the impact of CVE-2022-42889 on our product portfolio.
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
Vulnerability information
On the 13th of October 2022, a vulnerability in Apache Commons Text library was announced on the Apache dev list. Vulnerability CVE-2022-42889, also known as “Text4Shell”, may allow a malicious entity to perform code download or code execution within the context of the application, based on input controlled by the malicious entity.
Potential Risk
Vulnerability CVE-2022-42889 may allow a malicious entity to perform code download or code execution within the context of the application, based on input controlled by the malicious entity. Multiple examples of code demonstrating how the vulnerable feature can be exploited have been published. This increases the chances of exploitation by malicious entities.
While the vulnerability shares similarities with Apache Log4j (Log4Shell), the attack surface of CVE-2022-42889 is more limited due to the specific use of the Apache Commons Text library.
Detail info
CVE-2022-42889 affects Apache Commons Text versions 1.5 through 1.9. The vulnerability exists in the StringSubstitutor interpolator object. Using the “script”, “dns”, or “url” lookups would allow a crafted string to execute arbitrary scripts when passed to the interpolator object. To be able to exploit this vulnerability, the malicious entity must control the input of a variable, which is used by the vulnerable feature. Due to the nature of the feature, this is not very likely.
Besides the Apache Commons Text library the JDK versions matters for exploitability. Rapid7 tested their proof-of-concept exploit on different JDK versions, and the following versions are vulnerable:
- JDK version 1.8.0_341
- JDK version 9.0.4
- JDK version 10.0.2
- JDK version 11.0.16.1
- JDK version 12.0.2
- JDK version 13.0.2
- JDK version 14.0.2
Apache has published an update patching the vulnerability. It is strongly advised to upgrade to Apache Commons Text 1.10.0. Additionally, update any products where the vendor indicates their product is vulnerable.
Call to action
Apache has published an update patching the vulnerability. It is strongly advised to upgrade to Apache Commons Text 1.10.0. Additionally, update any products where the vendor indicates their product is vulnerable.
Sources
More information:
- NCSC advisory – https://www.ncsc.nl/actueel/advisory?id=NCSC-2022-0650
- Apache dev list – https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
- Apache feature documentation – https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/lookup/StringLookupFactory.html
Rapid7 blog – https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/
Subscribe
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.
Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.
