Apache Commons Text Code Execution Flaws Disclosed, Exploit Available

Apache Software Foundation (ASF) has released a fix for a critical-severity vulnerability in the Apache Commons Text library, leading to remote code execution. 

The flaw CVE-2022-42889, discovered by Alvaro Munoz, first appeared on October 13, 2022, on the Apache dev list. However, details about the severity and scope of the vulnerability are still emerging, including the detection of any examples of real-world applications using vulnerable configurations of the impacted library.

The bug is being compared with the Log4Shell vulnerability, flaws in Apache Log4j 2, a popular Java library for logging error messages in applications. However, according to the analysis done by many security researchers (till the time of writing), it doesn't seem the impact same as the Log4Shell vulnerability. 

About CVE-2022-42889 Vulnerability

CVE-2022-42889 arises from the insecure implementation of Commons Text’s variable interpolation functionality.

An interpolator is created by the StringSubstitutor.createInterpolator() method and will allow for string lookups as defined in the StringLookupFactory. This can be used by passing a string “${prefix:name}” where the prefix is the aforementioned lookup. Using the “script”, “dns”, or “url” lookups would allow a crafted string to execute arbitrary scripts when passed to the interpolator object.

This is something similar to the PoC for Log4Shell vulnerability. 

CVE-2022-42889 affects Apache Commons Text versions 1.5 through 1.9. The Apache team has patched the vulnerability and released the patch as of Commons Text version 1.10.

The rapid7 team tested their proof-of-concept in the following JDK version- 

• JDK 1.8.0_341 - PoC works
• JDK 9.0.4 - PoC works
• JDK 10.0.2 - PoC works
• JDK 11.0.16.1 - warning but works
• JDK 12.0.2 - warning but works
• JDK 13.0.2 - warning but works
• JDK 14.0.2 - warning but works
• JDK 15.0.2 - fails
• JDK 16.0.2 - fails
• JDK 17.0.4.1 - fails
• JDK 18.0.2.1 - fails
• JDK 19 - fails

However, the JFrog Security team noted that Java 15+ users are safe from code execution since the Nashorn engine was disabled, so ${script} interpolation won't work. Other vectors (DNS, URL) will still work though.

The PoC code is similar to the Log4Shell: ${script:javascript:java.lang.Run.Runtime.getRuntime().exec("cat /etc/shadow");}

PoC exploit

The Rapid7 team noted that, 

the specific code fragment is unlikely to exist in production applications, the concern is that in some applications, the `pocstring` variable may be attacker-controlled. In this sense, the vulnerability echoes Log4Shell. 

However, the StringSubstitutor interpolator is considerably less widely used than the vulnerable string substitution in Log4j and the nature of such an interpolator means that getting crafted input to the vulnerable object is less likely than merely interacting with such a crafted string as in Log4Shell.

Calling it Text4Shell or Text2Shell

We have seen many out there calling this vulnerability as Text4Shell or Text2Shell, as it has same type of exploit code as Log4Shell. Apache Commons Text is a widely used library, but on a much smaller scale than Log4J. 

The CVE-2022-42889 (Text4Shell / Text2Shell) vulnerability consists of injecting a malicious payload into the vulnerable software, which will ask Apache Commons Text to obtain a value from a third-party source, with DNS, or by running a script. 

However, in this case, Apache Commons Text does not check the data to be processed by default, which means that malicious code can be executed if no filter has been implemented in the vulnerable application code

Recommendation

As the vulnerability is not like to be much impacted like Log4Shell, then also we strongly recommend upgrading the Apache Commons Text version to the fixed verison1.10.0. 

Source: Rapid7