Wednesday, January 15, 2025
HomeCVE/vulnerabilityApache Commons "Text4Shell" Flaw Could Trigger Code Execution With Malicious Input

Apache Commons “Text4Shell” Flaw Could Trigger Code Execution With Malicious Input

Published on

Many people are concerned about an RCE flaw in the Apache Commons Text library. They believe that this RCE flaw may turn out to be the next successive “Log4shell” flaw.

The new RCE flaw in Apache Commons Text is tracked as CVE-2022-42889 and the flaw has been dubbed “Text4Shell.” The GitHub security analyst Alvaro Munoz was the one who discovered the issue. A report was already sent by him to Apache on March 9, 2022, informing them of the issue.

There are many open-source Java libraries out there, but Apache Commons Text is one of the most popular, as this library comes with an interpolation system. 

Based on an inputted string lookup as a basis for the interpolation system, the developers have the possibility of performing the following tasks with the values of strings:-

  • Ability to modify
  • Ability to decode
  • Ability to escape

Technical Analysis

The flaw exists due to the interpolation system, as it executes hazardous script evaluation, which causes the appearance of Text4Shell vulnerability.

Using the library’s default configuration, it is possible for this system to trigger code execution in the event of malicious input being processed.

As a result of variable interpolation, Apache Commons Text is capable of dynamic evaluations and expansions of properties. As far as interpolation is concerned, the standard format is as follows:-

  • ${prefix:name}

Here to locate the instance of “org.apache.commons.text.lookup.StringLookup” the “prefix” is used and with the help of the located instance the interpolation process is performed.

On October 12, 2022, the open-source library developers published a bug-fixing version 1.10.0 for their open-source library, which removes the interpolation feature, a fix that took 7 months to complete.

Disclosure Timeline

  • 2022-03-09: Issue reported to security@commons.apache.org
  • 2022-03-25: Apache Commons security team acknowledged receiving the report
  • 2022-05-27: GHSL requested a status update
  • 2022-05-27: Apache Commons security team notifies they are working on disabling the script interpolation by default
  • 2022-06-29: Apache Commons security team states that “Commons Text” will be updated, in order to make the programmer’s intention completely explicit on using a “dangerous” feature
  • 2022-08-11: GHSL requested a status update
  • 2022-10-12: Apache Commons Text releases version 1.10.0 where script interpolation is disabled by default

Do you need to be concerned?

Like the damage done by the Log4Shell vulnerability, in the beginning, many users were concerned about the damage that could be done by the distribution of the vulnerable library due to its widespread deployment.

There is no indication that all versions between 1.5 and 1.9 are vulnerable. Depending on the JDK version that is being used, the exploitation potential is primarily affected.

There is a flaw in the string interpolation algorithm, which is a documented feature, but the scope of the flaw is not as serious as in Log4Shell.

Recommendation

The developers have recently updated the Apache Commons Text library to fix this flaw. So, they have strongly recommended users who use the Apache Commons Text library upgrade their old version to 1.10 or higher to remain safe.

Moreover, there has also been confirmation from Apache’s security team that the issue does not bear any similarity to Log4Shell, in short, it’s now so critical or serious as Log4Shell vulnerability.

Also Read: Download Secure Web Filtering – Free E-book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Aembit Announces Speaker Lineup for the Inaugural NHIcon

Aembit, the non-human identity and access management (IAM) company, unveiled the full agenda for...

Sweet Security Introduces Patent-Pending LLM-Powered Detection Engine, Reducing Cloud Detection Noise to 0.04%

Sweet Security, a leader in cloud runtime detection and response, today announced the launch...

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

Hackers Exploiting Fortinet Zero-day Vulnerability In Wild To Gain Super-Admin Privileges

A critical zero-day vulnerability in Fortinet's FortiOS and FortiProxy products is being actively exploited...

Critical SAP NetWeaver Flaws Let Hackers Gain System Access

SAP has released its January 2025 Security Patch Day updates, addressing 14 new vulnerabilities,...