Oct 27, 2022 3 min read

Mercans’ Response to a Critical Flaw in the Widely Used Apache Commons Text Library

Mercans’ Response to a Critical Flaw in the Widely Used Apache Commons Text Library

A recently patched vulnerability in Apache Commons Text made headlines this week. This vulnerability, dubbed Text4Shell or Act4Shell, is causing some alarm among the security and tech communities, perhaps due to its name and the fact that, like Log4Shell, it resides in an open-source, Java-based application. This vulnerability has been assigned CVE-2022-42889 and was discovered by GitHub Security Labs. It is an open-source library used by Java to handle strings (objects that represent a sequence of characters or char values).

What does it do?

The vulnerability allows an attacker to inject malicious code into the modified libraries. This can be done by using a specially crafted URL or file, which when loaded into Apache Commons Text’s Java library will cause it to execute as if it were part of the original file.

A script check (which allows expressions to be executed), a DN lookup (which resolves DNS records), and a url check (which loads values from urls) are the default lookups that an attacker might use to execute code. When exploited successfully, the flaw could provide an attacker with the ability to establish a reverse shell connection with the vulnerable application, effectively opening the door to follow-on attacks.

It is rated as a critical 9.8 severity and is always a remote code execution vulnerability, which allows attackers to execute arbitrary code on the machine and compromise the entire system.

Note: Versions 1.5 through 1.9 of Apache Commons Text are affected, but version 1.10 has been patched.

As a general-purpose text manipulation toolkit, Apache Commons Text is a Java library that focuses on algorithms working with strings. Coders may have run into Commons Text as a dependency in their code, or it might be used by an application they are currently running on their laptops.

The Impact of CVE-2022-42889

Due to the easy exploitability and the potential impact on confidentiality, integrity, and availability, the severity is Critical. It is possible to take full control of the vulnerable system through a crafted request, as we discussed in the previous section.

These vulnerabilities won’t likely have the same impact as the previous Log4Shell and Spring4Shell vulnerabilities.

As far as the vulnerable component is concerned, the Apache Commons Text library is most likely to be exploited.

To be more specific, exploitation is possible only if it implements the StringSubstitutor object with some user-controllable input. It is not as common to find this implementation in production environments as the vulnerable string substitution in Log4j. Consequently, Text4Shell does not have the same large-scale impact as Log4Shell.

Mercans’ Response

Mercans has conducted deep dependency audit and a risk mitigation analysis of its infrastructure.

The analysis has not found any vulnerabilities and hasn’t affected the quality of our services provided in any way.

In order to protect its data, Mercans uses military-grade security. The company’s systems are in compliance with international compliance standards such as GDPR, ISO 9001, SOC 1 & 2, and OWASP ASVS 3.0 pentration test.

Most viewed posts

View all posts

Avasant Selects Mercans as a Leader in Payroll Business Process Tra...

The meticulous research methodology employed by Avasant included analyzing publicly available information like SEC filings, annual reports, and executive interviews, along with engaging in discussions and market interactions.

Dec 22, 2023 4 min read

Global BPO Leader Infosys Selects Mercans’ Payroll Tech to Power i...

This partnership brings together Mercans' disruptive payroll tech and Infosys' consulting and BPO capabilities to create the most tech advanced and operationally resilient global payroll offering.

Sep 26, 2023 3 min read

Mercans: A Leader in Global Managed Payroll – ISG Provider Lens™ 2023

Payroll solutions and services study meticulously assessed 36 vendors across three distinct quadrants, and Mercans proudly emerged as a frontrunner.

Nov 9, 2023 2 min read