Oct 27, 2022 3 min read

Mercans’ Response to a Critical Flaw in the Widely Used Apache Commons Text Library

Mercans’ Response to a Critical Flaw in the Widely Used Apache Commons Text Library

A recently patched vulnerability in Apache Commons Text made headlines this week. This vulnerability, dubbed Text4Shell or Act4Shell, is causing some alarm among the security and tech communities, perhaps due to its name and the fact that, like Log4Shell, it resides in an open-source, Java-based application. This vulnerability has been assigned CVE-2022-42889 and was discovered by GitHub Security Labs. It is an open-source library used by Java to handle strings (objects that represent a sequence of characters or char values).

What does it do?

The vulnerability allows an attacker to inject malicious code into the modified libraries. This can be done by using a specially crafted URL or file, which when loaded into Apache Commons Text’s Java library will cause it to execute as if it were part of the original file.

A script check (which allows expressions to be executed), a DN lookup (which resolves DNS records), and a url check (which loads values from urls) are the default lookups that an attacker might use to execute code. When exploited successfully, the flaw could provide an attacker with the ability to establish a reverse shell connection with the vulnerable application, effectively opening the door to follow-on attacks.

It is rated as a critical 9.8 severity and is always a remote code execution vulnerability, which allows attackers to execute arbitrary code on the machine and compromise the entire system.

Note: Versions 1.5 through 1.9 of Apache Commons Text are affected, but version 1.10 has been patched.

As a general-purpose text manipulation toolkit, Apache Commons Text is a Java library that focuses on algorithms working with strings. Coders may have run into Commons Text as a dependency in their code, or it might be used by an application they are currently running on their laptops.

The Impact of CVE-2022-42889

Due to the easy exploitability and the potential impact on confidentiality, integrity, and availability, the severity is Critical. It is possible to take full control of the vulnerable system through a crafted request, as we discussed in the previous section.

These vulnerabilities won’t likely have the same impact as the previous Log4Shell and Spring4Shell vulnerabilities.

As far as the vulnerable component is concerned, the Apache Commons Text library is most likely to be exploited.

To be more specific, exploitation is possible only if it implements the StringSubstitutor object with some user-controllable input. It is not as common to find this implementation in production environments as the vulnerable string substitution in Log4j. Consequently, Text4Shell does not have the same large-scale impact as Log4Shell.

Mercans’ Response

Mercans has conducted deep dependency audit and a risk mitigation analysis of its infrastructure.

The analysis has not found any vulnerabilities and hasn’t affected the quality of our services provided in any way.

In order to protect its data, Mercans uses military-grade security. The company’s systems are in compliance with international compliance standards such as GDPR, ISO 9001, SOC 1 & 2, and OWASP ASVS 3.0 pentration test.

Most viewed posts

View all posts

South Africa Announce Changes to its Income Tax Law

Starting this March, these changes include adjustments to the minimum wage, OID maximum earnings limit, subsistence allowances, and annual tax rebates and thresholds.

Mar 9, 2023 2 min read

The Power of Organizational Agility in Global Payroll: A Guide to S...

A Guide to SaaS Technology and Outsourcing Tradeoffs Steve Goldberg Global HCM & HR Tech Advisor The What, Why and How of Organizational Agility Let’s start with a practical definition of organizational agility and highlight a few surr

Feb 24, 2023 10 min read

The Basics of IR35: What it is, How it Works, and How it Affects Bu...

If you're a business owner or a worker in the UK, it's essential to know about IR35. Through this article, get a concise overview of IR35, including its definition, operation, and impact on both businesses and workers.

Feb 23, 2023 4 min read

The Perfect Global Payroll SaaS Suite for Modern Businesses –...

Discover the ins and outs of payroll systems, the distinction between payroll SaaS and outsourcing, and important factors to consider when purchasing payroll software.

Feb 9, 2023 11 min read

Mercans Adds Thought Leader Pete Tilakos to its Board

Pete is a renowned global payroll product strategy leader, HR industry analyst, advisor, and thought leader.

Feb 8, 2023 2 min read

Dubai Multi Commodities Centre (DMCC) Mandates Wages Protection Sys...

This will enable DMCC member companies to pay employees’ wages via banks, exchange houses, and financial institutions approved by the UAE Central Bank.

Feb 8, 2023 1 min read