On 13 October 2022, Apache Software Foundation published details on a critical vulnerability in the Apache Commons Text library, fixed in version 1.10.0 (Java 8+). Since then, multiple examples of working exploit implementations have been made publicly available. We recommend updating the affected library to the latest version.
Details
Apache Commons Text version 1.10.0 contains a security update that fixes a critical flaw in versions 1.5 through 1.9. Apache Commons Text is an open-source Java library and a component of the Apache Commons project that is offered as an alternative to the native Java Development Kit (JDK) for text handling. It is used to modify, decode, generate, and escape text strings based on input string lookups.
The vulnerability, tracked as CVE-2022-42889 and given the names Text4Shell and Act4Shell, has been assigned a CVSS Score of 9.8 out of 10 (Critical). The flaw is due to a failure to validate the input to string lookups when Apache Commons Text performs variable interpolation. Also known as string interpolation (variable substitution, variable expansion), this process evaluates the properties of strings that contain placeholders in order to replace the placeholders with their corresponding values. A set of default string lookups in versions 1.5-1.9 included interpolators that could accept untrusted input from a remote source. The input may then be processed on an internal server triggering arbitrary code execution or connections with remote servers. In version 1.10.0, Apache has disabled the vulnerable interpolators by default.
Several examples of working exploit implementations have been published for this vulnerability, and they are publicly available on GitHub. Exploitation appears to require a vulnerable Apache Commons Text library version in default configuration parsing user-controlled input. Researchers also note that it only affects applications that pass user input strings to:
StringLookupFactory.INSTANCE.interpolatorStringLookup().lookup()
StringSubstitutor.createInterpolator().replace()
These interpolators are not widely used and as such exploitation is significantly less likely than in the case of a similar, recent vulnerability in Log4J.
Apache Commons Text is used by several projects including Apache Hadoop, Spark, Velocity, Hive, and Solr. At the time of this reporting, the Apache security team has stated that they are “not currently aware of any applications” using the vulnerable interpolators or that are otherwise affected by this flaw. Details about the severity and scope of this vulnerability are still emerging.
Recommendations
We recommend reviewing your Apache software supply chain and third-party services for the use of a vulnerable version of this library. Files with names that match the pattern commons-text*.jar and using strings `StringSubstitutor` and `StringLookupFactory`could be a good indicator.
If you are using Apache Commons Text versions 1.5 through 1.9, follow Apache’s guidance and update the affected product to the latest version (1.10.0).
We also recommend monitoring for third-party updates and applying them if/when they become available.
As a general precaution to mitigate this type of vulnerability, we recommend treating all application inputs as untrusted by default and as a potential source of malicious data.
References