Apache vulnerability a risk, but not as widespread as Log4Shell

Security teams should be alert to the possibility of compromise arising from a vulnerability in Apache Commons Text that may put many organisations at risk, but is unlikely to be as impactful as 2021’s Log4Shell vulnerability.

First disclosed on 13 October, and assigned CVE-2022-4288, the vulnerability arises from how Apache Commons Text – a popular text manipulation toolkit offering additions to the standard Java Development Kit’s (JDK’s) text handling – performs variable interpolation, also known as string substitution.

The library contains a standard lookup format for interpolation, but versions 1.5 through 1.9 were found to contain some other default lookups that could accept untrusted input from a remote attacker, leading to remote code execution (RCE).

Version 1.10.0 of Apache Commons Text disables these problematic formats by default, and users are advised to upgrade to this version immediately. Paul Ducklin of Sophos additionally advised users to sanitise their inputs by hunting out and excluding potentially dangerous character sequences from the input; to search their networks for Apache Commons Text software they may not have known they had; and to keep an eye open for breaking news of cyber attacks linked to the issue.

With the December 2021 Log4Shell incident – the exploitation of which remains widespread almost 12 months on – still fresh in the minds of security professionals it is not surprising some are already calling it Text4Shell.

And indeed, there are some similarities, as Rapid7’s Erick Galinkin pointed out. Most significantly, both are open source library level vulnerabilities that can impact a huge number of software applications in which they are used.

“However, initial analysis indicates that this is a bad comparison,” wrote Galinkin. “The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input.”

Furthermore, he added, having tested a proof-of-concept exploit against multiple JDK versions, the Rapid7 team had reported varying levels of success.

“There are significant caveats to practical exploitability for CVE-2022-42889. With that said, we still recommend patching any relevant impacted software according to your normal, hair-not-on-fire patch cycle,” wrote Galinkin.

Sophos Threat Research senior manager Christopher Budd also advised security teams not to panic unduly, saying that

“Log4J is a widely used Java library and any webserver running the vulnerable version could have been easily exploited while the Common Text library isn’t as prevalent,” he said.

“Additionally, Log4J can be exploited with generic code while this new vulnerability likely requires code that is specific and targeted. Finally, most applications will not be passing unsanitised user provided values to the library’s vulnerable functions, reducing or negating the exploitation risks.

“Sophos X-Ops is not currently seeing attacks exploiting CVE-2022-42889 in the wild, but will continue monitoring,” said Budd.

Leave a Reply

Your email address will not be published. Required fields are marked *