Apache Commons Text vulnerability not as serious as Log4Shell, researchers say

Apache Commons Text vulnerability not as serious as Log4Shell, researchers say

Image:
Apache Commons Text vulnerability not as serious as Log4Shell, researchers say

The newly disclosed RCE bug stems from the insecure implementation of Commons Text's variable interpolation feature, but it is hard to exploit

Over the last few days, security researchers have been paying attention to a freshly patched vulnerability in the Apache Commons Text library. Many of them are concerned that this security flaw might become the next Log4Shell.

However, most cybersecurity experts believe that there is no reason for alarm since the new flaw, called 'Text4Shell' by many, is nowhere near as concerning as the Log4Shell issue.

The Log4Shell bug, which was uncovered in December 2021 and tracked as CVE-2021-44228, existed in the Apache Log4j Java logging library.

Researchers described Log4Shell as a highly dangerous, widespread and easy to exploit bug which enabled attackers to execute malicious code on Java applications.

The vulnerability triggered when a specially crafted string provided by the attacker through a variety of different input vectors was parsed and processed by the vulnerable Log4j component.

Text4Shell (CVE-2022-42889) is a remote code execution (RCE) bug affecting the open-source Apache Commons Text library, which is mostly used for string-processing algorithms.

The library features an "interpolation system" that enables developers to alter, decode, generate, and escape strings based on inputted string lookups.

CVE-2022-42889 stems from the insecure implementation of Commons Text's variable interpolation feature. In particular, certain default lookup strings can be susceptible to accepting untrusted input from remote attackers, such as URLs, DNS queries or inline scripts.

Apache Commons Text versions 1.5 through 1.9 are vulnerable to the CVE-2022-42889, and the flaw has been addressed in Commons Text version 1.10.0.

The credit for CVE-2022-42889 discovery goes to security researcher Alvaro Muoz who reported the bug to Apache on March 9, 2022.

However, the open-source library's creators took nearly seven months to release a fix in version 1.10.0, which was released on October 12, 2022 and disables interpolation.

"Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers," a developer in the Apache mailing list explained.

"Applications using the interpolation defaults in the affected versions may be vulnerable to RCE or unintentional contact with remote servers if untrusted configuration values are used."

Some researchers were initially concerned that CVE-2022-42889 could result in widespread harm, similar to the Log4Shell vulnerability, due to the extensive deployment of the vulnerable library and the fact that the weakness affects versions that date as far back as 2018.

These worries were quickly allayed by Rapid7 researchers, who noted that, unlike Log4Shell, it would be uncommon for a program to utilise the susceptible component of Commons Text to handle untrusted, possibly malicious input.

The researchers noted that there are significant caveats to the practical exploitability of CVE-2022-42889, much like with Spring4Shell, a critical vulnerability in the Java Spring framework that is nonetheless hard to exploit because it requires an attacker to find compatible components with the right characteristics.

According to Apache, this bug is distinct from Log4Shell because of the latter's ability to interpolate strings from the log message body, which often includes unreliable input.

In the Apache Common Text issue, the relevant method is explicitly intended to perform string interpolation.

As a result, the likelihood that applications will inadvertently pass in untrusted input without performing the necessary validation is significantly reduced.

https://twitter.com/GossiTheDog/status/1582065679431499776?ref\\_src=twsrc%5Etfw

Tenable senior research engineer Claire Tills noted that despite the vulnerability having a 9.8 out of 10 CVSS score, it appears to require certain application development techniques and configures that are not common.

Nevertheless, it is likely to be a significant endeavour track down and patch all vulnerable instances of Apache Commons Text, said Varun Badhwar, CEO and co-founder of Endor Labs.

"What's most concerning is the amount of time it will take end users of this dependency to actually investigate and remediate the issue."

JFrog researchers say they have released a tool that developers can use to determine if their applications utilise a vulnerable version of the library or vulnerable functionality.