Oct 27, 2022 3 min read

Mercans’ Response to a Critical Flaw in the Widely Used Apache Commons Text Library

Mercans’ Response to a Critical Flaw in the Widely Used Apache Commons Text Library

A recently patched vulnerability in Apache Commons Text made headlines this week. This vulnerability, dubbed Text4Shell or Act4Shell, is causing some alarm among the security and tech communities, perhaps due to its name and the fact that, like Log4Shell, it resides in an open-source, Java-based application. This vulnerability has been assigned CVE-2022-42889 and was discovered by GitHub Security Labs. It is an open-source library used by Java to handle strings (objects that represent a sequence of characters or char values).

What does it do?

The vulnerability allows an attacker to inject malicious code into the modified libraries. This can be done by using a specially crafted URL or file, which when loaded into Apache Commons Text’s Java library will cause it to execute as if it were part of the original file.

A script check (which allows expressions to be executed), a DN lookup (which resolves DNS records), and a url check (which loads values from urls) are the default lookups that an attacker might use to execute code. When exploited successfully, the flaw could provide an attacker with the ability to establish a reverse shell connection with the vulnerable application, effectively opening the door to follow-on attacks.

It is rated as a critical 9.8 severity and is always a remote code execution vulnerability, which allows attackers to execute arbitrary code on the machine and compromise the entire system.

Note: Versions 1.5 through 1.9 of Apache Commons Text are affected, but version 1.10 has been patched.

As a general-purpose text manipulation toolkit, Apache Commons Text is a Java library that focuses on algorithms working with strings. Coders may have run into Commons Text as a dependency in their code, or it might be used by an application they are currently running on their laptops.

The Impact of CVE-2022-42889

Due to the easy exploitability and the potential impact on confidentiality, integrity, and availability, the severity is Critical. It is possible to take full control of the vulnerable system through a crafted request, as we discussed in the previous section.

These vulnerabilities won’t likely have the same impact as the previous Log4Shell and Spring4Shell vulnerabilities.

As far as the vulnerable component is concerned, the Apache Commons Text library is most likely to be exploited.

To be more specific, exploitation is possible only if it implements the StringSubstitutor object with some user-controllable input. It is not as common to find this implementation in production environments as the vulnerable string substitution in Log4j. Consequently, Text4Shell does not have the same large-scale impact as Log4Shell.

Mercans’ Response

Mercans has conducted deep dependency audit and a risk mitigation analysis of its infrastructure.

The analysis has not found any vulnerabilities and hasn’t affected the quality of our services provided in any way.

In order to protect its data, Mercans uses military-grade security. The company’s systems are in compliance with international compliance standards such as GDPR, ISO 9001, SOC 1 & 2, and OWASP ASVS 3.0 pentration test.

Most viewed posts

View all posts

Lebanon – Sickness and Maternity Contributions Set To Raise

Contributions will be raised to LBP 18,000,000 from the existing limit of LBP 5,600,000.

Sep 18, 2023 1 min read

Singapore – Central Provident Fund Ceiling Changes

Effective from 1 September 2023, the Central Provident Fund Board has amended the additional income ceiling for monthly mandatory contributions. CPF Ordinary Wage (OW) ceiling limits, the amount of OW that attract CPF contributions in a calendar m

Sep 12, 2023 1 min read

Kenya – 2023 Statutory Changes

Effective from 28 July 2023, the Kenyan Government has lifted the suspension barring the implementation of the 2023 Finance Act. The Finance Act of 2023 proposed the below changes to take effect from the 1st of July 2023: Exemption of travel allo

Aug 15, 2023 2 min read

Oman Announces New Labor Law

Effective from 25 July 2023, the Omani government through Royal Decree No. 53/2023 issued the New Labor Law which replaces the Old Labor law issued through Royal Decree No. 35/2003. Please find the previous and new law comparison in the below tabl

Aug 11, 2023 1 min read

HR Blizz Acquires an Accounting Software Award from Leading B2B Rev...

HR Blizz earned another notch on its belt when a major B2B software marketplace granted our accounting software a major award. FinancesOnline, one of the leading software directories today, confers HR Blizz with a Rising Star Award, acknowledgin

Aug 10, 2023 3 min read

New Salary capping limit for payment of Social and Health Insurance...

Effective from 1 July 2023, the Ho Chi Minh City Social Insurance authority with Notice no. 2651/TB-BHXH dated 7 Juy 2023 increased the ceiling amount of salary for payment of compulsory social insurance, occupational accident and disease insurance,

Jul 31, 2023 1 min read