Oct 27, 2022 3 min read

Mercans’ Response to a Critical Flaw in the Widely Used Apache Commons Text Library

Mercans’ Response to a Critical Flaw in the Widely Used Apache Commons Text Library

A recently patched vulnerability in Apache Commons Text made headlines this week. This vulnerability, dubbed Text4Shell or Act4Shell, is causing some alarm among the security and tech communities, perhaps due to its name and the fact that, like Log4Shell, it resides in an open-source, Java-based application. This vulnerability has been assigned CVE-2022-42889 and was discovered by GitHub Security Labs. It is an open-source library used by Java to handle strings (objects that represent a sequence of characters or char values).

What does it do?

The vulnerability allows an attacker to inject malicious code into the modified libraries. This can be done by using a specially crafted URL or file, which when loaded into Apache Commons Text’s Java library will cause it to execute as if it were part of the original file.

A script check (which allows expressions to be executed), a DN lookup (which resolves DNS records), and a url check (which loads values from urls) are the default lookups that an attacker might use to execute code. When exploited successfully, the flaw could provide an attacker with the ability to establish a reverse shell connection with the vulnerable application, effectively opening the door to follow-on attacks.

It is rated as a critical 9.8 severity and is always a remote code execution vulnerability, which allows attackers to execute arbitrary code on the machine and compromise the entire system.

Note: Versions 1.5 through 1.9 of Apache Commons Text are affected, but version 1.10 has been patched.

As a general-purpose text manipulation toolkit, Apache Commons Text is a Java library that focuses on algorithms working with strings. Coders may have run into Commons Text as a dependency in their code, or it might be used by an application they are currently running on their laptops.

The Impact of CVE-2022-42889

Due to the easy exploitability and the potential impact on confidentiality, integrity, and availability, the severity is Critical. It is possible to take full control of the vulnerable system through a crafted request, as we discussed in the previous section.

These vulnerabilities won’t likely have the same impact as the previous Log4Shell and Spring4Shell vulnerabilities.

As far as the vulnerable component is concerned, the Apache Commons Text library is most likely to be exploited.

To be more specific, exploitation is possible only if it implements the StringSubstitutor object with some user-controllable input. It is not as common to find this implementation in production environments as the vulnerable string substitution in Log4j. Consequently, Text4Shell does not have the same large-scale impact as Log4Shell.

Mercans’ Response

Mercans has conducted deep dependency audit and a risk mitigation analysis of its infrastructure.

The analysis has not found any vulnerabilities and hasn’t affected the quality of our services provided in any way.

In order to protect its data, Mercans uses military-grade security. The company’s systems are in compliance with international compliance standards such as GDPR, ISO 9001, SOC 1 & 2, and OWASP ASVS 3.0 pentration test.

Most viewed posts

View all posts

Everest Group names Mercans as a Star Performer in MCP Solutions As...

The Everest Group lauds Mercans' service capabilities and strategic approach

Nov 23, 2022 3 min read

Libya – Social Security Contribution Percentage Change

The contribution rate has been increased for all nationalities including Libyans but Pakistanis are exempted.

Nov 23, 2022 1 min read

Mercans Increases Focus on Global Payroll and Carves-Out Recruitmen...

Mercans has separated its talent management and HR advisory businesses from its software and managed payroll operations.

Nov 21, 2022 2 min read

Lebanon – Amendment to sickness and maternity ceiling amount

On 25 October 2022, the Lebanon Ministry of Finance issued a decree to modify the ceiling amount for sickness, maternity, and family allowance contributions. The sickness and maternity contribution ceiling amount has been increased from 5,000,000

Nov 16, 2022 1 min read

IR35: An Ultimate Guide To UK’s Tax Laws

IR35 is a set of rules that are designed to identify contractors and businesses which are avoiding paying the appropriate tax by working as ‘disguised’ employees.

Nov 11, 2022 10 min read

Mercans Adds Industry Veteran Steve Goldberg to its Board

This appointment follows several recently announced corporate governance changes to strengthen the board and executive management team.

Oct 5, 2022 2 min read