Published: November 21, 2022
Overview
A vulnerability has been found in the string interpolator module of a Java library called the Apache Commons Text library. Exploiting this vulnerability (CVE-2022-42889) can result in a cyber-criminal taking over your computer or manipulating data strings to force data leakage. Its severity rating is critical.
While this vulnerability does not impact Netsurion’s infrastructure or platform, we are providing insights and remediation guidance to our customers, partners, and the industry at large in the spirit of cooperation.
Background
The string interpolator in the Lookup module present in the Apache Commons Text library can execute code with some specific input which can cause remote code execution by an attacker.
For contact with remote servers, the String Lookup module in the Apache Commons Text library has string interpolators which can unintentionally contact an untrusted remote server, leading to data leakage.
Further Background on the Text4Shell Vulnerability
Remote Code Execution (RCE) is one potential danger if attackers exploit this vulnerability. RCE allows an attacker to access someone else’s computing device and make changes, no matter where the device is geographically located. After gaining system access, attackers usually elevate the privileges to gain “super-user” capabilities to cause more damage like installing malware or deleting data. Software vendors release regular software patches to overcome vulnerabilities such as RCEs.
Impact
This vulnerability applies to the following use case:
- Apache Commons Text library – CVE-2022-42889
Exploit Overview
This vulnerability is easily exploited with specific payloads to certain APIs of the Apache Commons Text library. With a specifically crafted request, the vulnerable system could be completely taken over by using remote code execution. This vulnerability is only exploitable if the product implements the StringsSubstitutor object with some user-controlled input and if the input is not sanitized properly. The point of entry is the input string to the strong interpolator object – StringSubstitutor in the Apache Commons Text library.
Applicable Versions
Only applications using Apache Commons Text versions 1.5 to 1.9 are vulnerable.
Note that the CVE-2022-42889 has a risk rating of Critical or 9.8 out of 10.0 severity on the CVSS Severity scale in the National Vulnerability Database (NVD).
This new Text4Shell vulnerability is thus far not viewed as widespread nor as damaging as its predecessor “Log4J” vulnerability.
Mitigations
This vulnerability has been fixed in the patch for Apache Commons Text version 1.10 which disables the default interpolators.
Best Practices
Netsurion is not aware of any active exploits in the wild, but that could change rapidly. Best practices to mitigate this vulnerability include:
- To stay protected against CVE-2022-42889 exploits and Text4Shell vulnerabilities, it is important that any users of Apache Common Text library versions 1.5 to 1.9 patch their devices and systems.
Netsurion Detection and Response
At this time, our security experts have determined that no Netsurion infrastructure, products, or modules have been found to be impacted by CVE-2022-42889.
Our security experts are closely monitoring Apache Text4Shell vulnerabilities for updates and any potential exploits by cyber-criminals. We will update this Threat Advisory with any future details and attack surface reduction tips.
Detection by Netsurion Vulnerability Management Service
The Vulnerability Management signature database has been updated with CVE-2022-42889 mitigations. Our Security Operations Center (SOC) will detect and report any Text4Shell vulnerabilities to our customers who subscribe to Netsurion Vulnerability Management.
Contact your Netsurion Account Manager with any questions.
References: