Mercans’ Response to a Critical Flaw in the Widely Used Apache Commons Text Library

Text4Shell Vulnerability

Mercans’ Response to a Critical Flaw in the Widely Used Apache Commons Text Library

A recently patched vulnerability in Apache Commons Text made headlines this week. This vulnerability, dubbed Text4Shell or Act4Shell, is causing some alarm among the security and tech communities, perhaps due to its name and the fact that, like Log4Shell, it resides in an open-source, Java-based application. This vulnerability has been assigned CVE-2022-42889 and was discovered by GitHub Security Labs. It is an open-source library used by Java to handle strings (objects that represent a sequence of characters or char values).

What does it do?

The vulnerability allows an attacker to inject malicious code into the modified libraries. This can be done by using a specially crafted URL or file, which when loaded into Apache Commons Text’s Java library will cause it to execute as if it were part of the original file.

A script check (which allows expressions to be executed), a DN lookup (which resolves DNS records), and a url check (which loads values from urls) are the default lookups that an attacker might use to execute code. When exploited successfully, the flaw could provide an attacker with the ability to establish a reverse shell connection with the vulnerable application, effectively opening the door to follow-on attacks.

It is rated as a critical 9.8 severity and is always a remote code execution vulnerability, which allows attackers to execute arbitrary code on the machine and compromise the entire system.

Note: Versions 1.5 through 1.9 of Apache Commons Text are affected, but version 1.10 has been patched.

As a general-purpose text manipulation toolkit, Apache Commons Text is a Java library that focuses on algorithms working with strings. Coders may have run into Commons Text as a dependency in their code, or it might be used by an application they are currently running on their laptops.

The Impact of CVE-2022-42889

Due to the easy exploitability and the potential impact on confidentiality, integrity, and availability, the severity is Critical. It is possible to take full control of the vulnerable system through a crafted request, as we discussed in the previous section.

These vulnerabilities won’t likely have the same impact as the previous Log4Shell and Spring4Shell vulnerabilities.

As far as the vulnerable component is concerned, the Apache Commons Text library is most likely to be exploited.

To be more specific, exploitation is possible only if it implements the StringSubstitutor object with some user-controllable input. It is not as common to find this implementation in production environments as the vulnerable string substitution in Log4j. Consequently, Text4Shell does not have the same large-scale impact as Log4Shell.

Mercans’ Response

Mercans has conducted deep dependency audit and a risk mitigation analysis of its infrastructure.

The analysis has not found any vulnerabilities and hasn’t affected the quality of our services provided in any way.

In order to protect its data, Mercans uses military-grade security. The company’s systems are in compliance with international compliance standards such as GDPR, ISO 9001, SOC 1 & 2, and OWASP ASVS 3.0 pentration test.