Security teams must be alert to the possibility of compromise arising from a vulnerability in Apache Commons Text which could put many organizations at risk, but is unlikely to be as impactful as the 2021 Log4Shell vulnerability.
First disclosed on October 13 and assigned CVE-2022-4288, the vulnerability arises from how Apache Commons Text—a popular text manipulation toolkit that offers additions to the text processing of the standard Java Development Kit—performs variable interpolation, also known as such as string substitution.
The library contains a standard lookup format for interpolation, but versions 1.5 through 1.9 were found to contain some other default lookups that could accept untrusted data from a remote attacker, leading to remote code execution.
Version 1.10.0 of Apache Commons Text disables these problematic formats by default, and users are advised to upgrade to this version immediately. Paul Ducklin of Sophos further advised users to sanitize their inputs by searching for and excluding potentially dangerous character sequences from the input; search their networks for Apache Commons Text software they may not have known they had; and monitor for breaking news about cyberattacks related to the issue.
With the December 2021 Log4Shell incident – the use of which remains widespread almost 12 months later – still fresh in the minds of security professionals, it’s no surprise that some are already calling it Text4Shell.
And indeed, there are some similarities, like Eric Galinkin of Rapid7 pointed out. Most importantly, both are open-source library-level vulnerabilities that can affect a huge number of software applications in which they are used.
“However, initial analysis shows that this is a poor comparison,” Galinkin wrote. “The nature of the vulnerability means that, unlike Log4Shell, a rare application will use the vulnerable Commons Text component to process untrusted, potentially malicious data.”
Also, he added, after testing a proof-of-concept exploit against multiple versions of the JDK, the Rapid7 team reported varying levels of success.
“There are significant caveats to the practical exploitation of CVE-2022-42889,” Galinkin wrote. “That being said, we still recommend patching any relevant affected software according to your normal non-fire hair patching cycle.”
However, Sophos Threat Research senior manager Christopher Budd also advised security teams not to panic.
“Log4J is a widely used Java library, and any web server running the vulnerable version can be easily exploited, while the Common Text library is not as common,” he said.
“Furthermore, Log4J can be used with generic code, whereas this new vulnerability likely requires code that is specific and targeted.” Finally, most applications will not pass unsanitized, user-supplied values to vulnerable library functions, reducing or negating the risks of exploitation.
“Sophos X-Ops is not currently seeing attacks exploiting CVE-2022-42889 in the wild, but will continue to monitor,” Budd said.