A vulnerability in Apache Commons Text could give cybercriminals remote access to servers, triggering a Log4Shell-like situation, researchers at Sophos found. The Apache software foundation (ASF) has released a patch for this vulnerability, which has affected the popular open-source Java library designed for working with strings. The flaw CVE-2022-42889 had a CVSS score of 9.8 out of 10.
The vulnerability
The vulnerability was found in versions 1.5 through 1.9 of Apache Common Texts. The update was made available on September 24, but the advisory was released on October 13. It said that the default Lookup instances had interpolators that would offer remote access to cybercriminals. The interpolators could lead to arbitrary code execution, which is a kind of hacking. Arbitrary code execution often relies on software and hardware flaws or errors.
Simply put, the vulnerability could allow untrusted input, such as data submitted in a web form or content extracted from an email, to be processed by a part of your program that performs substitution or interpolation, explained the researchers. This could lead to a cybersecurity crisis.
The Log4Shell situation showed that an unpatched feature in an Apache programming library called Log4J (Logging For Java) made untrusted input possible. This remote code execution vulnerability allowed attackers to drop malware or ransomware on a target system, leading to complete compromise of the network, the theft of sensitive information, and even sabotage.
“Commons Text is a general-purpose text manipulation toolkit, described simply as ‘a library focused on algorithms working on strings’,” wrote Paul Ducklin, a principal research scientist at Sophos.
“Even if you are a programmer who hasn’t knowingly chosen to use it yourself, you may have inherited it as a dependency – part of the software supply chain – from other components you are using.”
So far, there have been no reports of exploitation of this vulnerability. The primary step to avert the risk is to update to Commons Text 1.10.0. “In this version, the dns, url and script functions have been turned off by default. You can enable them again if you want or need them, but they won’t work unless you explicitly turn them on in your code,” Ducklin wrote.
Researchers are speculating that there is a similarity between CVE-2022-42889 and another vulnerability CVE-2022-33980 that was discovered in July, this year. Both flaws are about variable interpolation in Apache commons text. Moreover, both vulnerabilities share the same severity score of 9.8. The older vulnerability also made having remote access or arbitrary code execution possible due to interpolations.