A recently patched vulnerability in the Apache Commons Text library hit the headlines this week. Dubbed Text4Shell or Act4Shell, the vulnerability is eliciting some disconcerting responses from the security and tech communities, possibly due to its name and the fact that, like Log4Shell, it resides in another open-source Java-based tool. However, experts suggest it is too soon to tell.
Tracked as CVE-2022-42889Opens a new window , Text4Shell was discovered by GitHub Security Labs researcher Alvaro Muñoz in March 2022. Apache Commons Text is an open-source library used in how Java handles strings (objects that represent sequences of characters or char values).
It contains several utility methods and packages that offer string-related algorithmic text manipulation and other capabilities, such as calculating string differences (or similarities), translation, and other ways of handling text.
Muñoz summarized Text4Shell as “the StringSubstitutor default interpolators may lead to unsafe script evaluation and arbitrary code execution.†In other words, the StringSubstitutor interpolator, which enables the evaluation and retrieval of an input string, can execute code arbitrarily and remotely because some default lookups may accept untrusted and malicious input.
The Apache Software Foundation noted, “The standard format for interpolation is ‘${prefix:name},’ where ‘prefix’ is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. The set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers.â€
The default lookups that could enable an attacker to execute code are script (allows execution of expressions), dns (used to resolve dns records), and url (used to load values from urls). “The dns, script and url functions are particularly dangerous, because they could lead to untrusted data, received from outside your network but processed or logged on one of the business logic servers inside your network,†explained Paul Ducklin, principal research scientist at Sophos.
So if an attacker executes a command using the dns lookup followed by the web address string, they can map out the entire internal network of their target.
See More: Microsoft Windows Vulnerable to BYOVD Attacks for Three Years: Report
CVE-2022-42889, or Text4Shell, has a CVSS score of 9.8 out of 10. It affects Apache Commons Text versions 1.5 through 1.9, and its proof of concept is publicly available though there have not been any known exploitation cases yet.
Research also revealed that Text4Shell exploitation was possible on some (1.8.0_341, 9.0.4, 10.0.2. 11.0.16.1, 12.0.2, 13.0.2, 14.0.2) but not all JDK versions. Exploitation failed on JDK versions 15.0.2, 16.0.2, 17.0.4.1, 18.0.2.1, 19.
It is true that the software supply chain is somewhat dependent on Apache Commons Text. Still, security experts point out that the use of StringSubstitutor interpolator isn’t that widespread (unlike the string substitutor in Log4j), making the comparison ill-thought-out.
“While there was some initial concern from the industry that it is at the caliber of Log4shell, the reality is that it is not nearly as widespread or exploitable. The class/method involved in this vulnerability is rarely used and a quick GitHub search shows very few open source programs using the vulnerable method, and most that are, are not parsing user controlled input,†David Lindner, CISO at Contrast Security, told Spiceworks.
A quick search on Maven Repository reveals that 2,591 projectsOpens a new window have a dependency on Apache Commons Text.
Lindner added, “From what we’ve seen so far, this CVE seems more like a developer adding a backdoor, more than anything. I’m not as concerned that this will amount to much, as it’s not like Log4j where an application is gathering user-controlled input and logging it, which could result in exploiting the log4shell vulnerability.â€
Rapid7’s Erick Galinkin, principal artificial intelligence researcher, also concludes something similar. “Initial analysis indicates that this [Text4Shell to Log4Shell] is a bad comparison. The nature of the vulnerability means that, unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input.â€
As part of the mitigation efforts, administrators are recommended to upgrade to Apache Commons Text 1.10.0. Besides updating to the patched version, Ducklin advised that admins sanitize inputs to filter out untrusted data and double-check if there are any network or application dependencies on Apache Commons Text.
“We found Contrast Protect blocks the attack,†Lindner said.
Text4Shell is the second Apache Commons vulnerability discovered in 2022. Previously, the Apache Commons Configuration was found with CVE-2022-33980Opens a new window , which is also a remote code execution vulnerability enabled by the use of ConfigurationInterpolator with default variable lookups for interpolation.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!
Image source: Shutterstock