According to WordPress security firm Defiant, attempts have already been made to exploit a new vulnerability in Apache Commons Text (CVE-2022-42889). Called Text4Shell and affects versions 1.5 to 1.9 of the library. Some believe that this issue could become the new Log4Shell. The issue scored 9.8 out of 10 on the CVSS vulnerability rating scale.
Let me remind you that we also wrote that the Chinese hack group Aquatic Panda exploits Log4Shell to hack educational institutions.
Issue CVE-2022-42889 was disclosed earlier this week. Apache Commons Text is an open-source Java library for manipulating character strings. And back in March 2022, GitHub Security Lab expert Alvaro Muñoz discovered that the library was vulnerable to an RCE vulnerability related to unreliable data handling and variable interpolation.
Apache Commons developers last week, with the release of version 1.10.0, where the problematic interpolators were disabled.
Since many developers and organizations use Apache Commons Text, and the vulnerability even affects versions of the library released back in 2018, some experts warned that the problem could become a new Log4Shell. As a result, CVE-2022-42889 was named Text4Shell or Act4Shell, but it soon became clear that such concerns were most likely unnecessary.
In particular, analysts from Rapid7 published their analysis of the problem. They explained that not all library versions from 1.5 to 1.9 are vulnerable, and the potential for exploitation is associated with the version of the JDK used. They also note that it is not entirely correct to compare the new vulnerability with Log4Shell.
The researchers tested the PoC exploits on various versions of the JDK, and it worked without warning only on versions 9.0.4, 10.0.2, and 1.8.0_341. However, it should be noted that an updated PoC exploit has already been presented that works on all vulnerable versions, and it turned out that JDK 15+ versions are also affected by the bug.
Sophos experts also agreed with colleagues’ point of view, who said that the vulnerability is dangerous, but at present, it is not as easy to use it on vulnerable servers as Log4Shell. And even Munoz himself, who discovered the bug, also explained that, despite the similarity to Log4Shell, the new vulnerability is likely to be widespread and much less dangerous.
This is also the opinion of the Apache security team, who stated that the scale of the problem is not comparable to Log4Shell, and string interpolation is a documented feature. That is, it is unlikely that applications using the library will inadvertently pass unsafe input without validation.
However, despite all these reports of specialists, Defiant analysts warned that hackers have already begun to exploit CVE-2022-42889. The company has monitored 4,000,000 sites since the issue was disclosed (October 17) and now reports that it has detected hacking attempts that originate from approximately 40 IP addresses and began on October 18. So far, it is only about intelligence.
It should also be noted that the Apache Commons Text library remains vulnerable even after updating to version 1.10.0, and the exploitation of the problem “depends on how it is used and there are no guarantees in the unsafe use of the library inside your product or a borrowed package.”