Apache Commons Text Vulnerability Advisory | October 2022

Proof of Concept code (PoC) for exploitation is available for the popular Java-based software package Apache Commons Text. Here's what you need to know.

Background

On October 13, 2022, the Apache Commons Text team disclosed CVE-2022-42889 and recommended users upgrade to version 1.10. The Apache Commons Text utility is used in Java-based software to evaluate and process text for a variety of different use cases. While Apache Commons Text is widely used, the specific components of code with the flaw may not be as commonly utilized.


Quick facts: what you need to know now

  • Impacted versions include Apache Commons Text version 1.5 through 1.9.
  • If you rely on vendor software that uses Commons Text, you are likely not vulnerable as successful exploitation is only possible when software uses a specific component of the Commons Text code without properly sanitizing untrusted input.
  • If your own software uses Commons Text, check if your code uses the StringSubstitutor API without properly sanitizing untrusted input. See below for guidance.
  • An unauthenticated threat actor can execute arbitrary commands on systems leveraging the vulnerable code. This could lead to the wider compromise of the underlying system.

 

The number of third-party software products leveraging Apache Commons Text is high but those using the the vulnerable part of that library may be more limited, therefore the full impact is unknown.

Next Steps for All Apache Commons Text Customers:

All organizations should ensure the following:

  1. Review all applications and projects you manage (software your organization writes) that may leverage Apache Commons Text.
    1. To check for the use of Apache Commons Text in your own software, researchers released the following tool: https://github.com/jfrog/text4shell-tools.
    2. The Apache Security Team recommends double-checking whether software utilizing Commons Text also uses the StringSubstitutor API.
    3. Upgrade to version 1.10 which will mitigate the vulnerability.
    4. Ensure that any untrusted input is sanitized and validated.
  2. Ensure EDR technology is running on all servers.
  3. Apply updates and patches from vendor software products which may be released in response to this vulnerability in the coming days and weeks.


Resources

https://blogs.apache.org/security/entry/cve-2022-42889

https://www.helpnetsecurity.com/2022/10/19/cve-2022-42889/

https://nvd.nist.gov/vuln/detail/CVE-2022-42889

https://therecord.media/experts-downplay-reach-of-apache-bug-text4shell/ 

If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!