Hackers Started Exploiting Critical “Text4Shell” Apache Commons Text Vulnerability

WordPress security company Wordfence on Thursday said it started
detecting exploitation attempts targeting the newly disclosed flaw
in Apache Commons Text on October 18, 2022.

The vulnerability, tracked as CVE-2022-42889 ^[1]
aka Text4Shell, has been assigned a severity ranking of 9.8
out of a possible 10.0 on the CVSS scale and affects versions 1.5
through 1.9 of the library.

It’s also similar to the now infamous Log4Shell ^[2]
vulnerability in that the issue ^[3]
is rooted in the manner string substitutions ^[4]
carried out during DNS, script, and URL lookups ^[5] could lead to the
execution of arbitrary code on susceptible systems when passing
untrusted input.

A successful exploitation of the
flaw ^[6] can enable a threat
actor to open a reverse shell connection with the vulnerable
application simply via a specially crafted payload, effectively
opening the door for follow-on attacks.

While the issue ^[7]
was originally reported ^[8]
in early March 2022, the Apache Software Foundation (ASF) released
an updated version ^[9]
of the software (1.10.0) on September 24, followed by issuing an advisory ^[10] only last week on
October 13.

“Fortunately, not all users of this library would be affected by
this vulnerability – unlike Log4J in the Log4Shell vulnerability,
which was vulnerable even in its most basic use-cases,” Checkmarx
researcher Yaniv Nizry said ^[11].

“Apache Commons Text must be used in a certain way to expose the
attack surface and make the vulnerability exploitable.”

Wordfence also reiterated that the likelihood of successful
exploitation is significantly limited in scope when compared to
Log4j, with most of the payloads observed so far designed to scan
for vulnerable installations.

“A successful attempt would result in the victim site making a
DNS query to the attacker-controlled listener domain,” Wordfence
researcher Ram Gall said ^[12], adding requests with
script and URL prefixes have been comparatively lower in
volume.

If anything, the development is yet another indication of the
potential security risks posed by third-party open source
dependencies, necessitating that organizations routinely assess
their attack surface and set up appropriate patch management
strategies.

Users who have direct dependencies on Apache Commons Text are
recommended ^[13] to upgrade to the fixed
version to mitigate potential threats. According to Maven Repository ^[14], as many as 2,593
projects use the Apache Commons Text library.

The Apache Commons Text flaw also follows another critical
security weakness that was disclosed in Apache Commons
Configuration in July 2022 (CVE-2022-33980 ^[15], CVSS score: 9.8),
which could result ^[16] in arbitrary code
execution through the variable interpolation functionality.

References

^{^}
CVE-2022-42889
(nvd.nist.gov)
^{^}
Log4Shell
(thehackernews.com)
^{^}
issue
(commons.apache.org)
^{^}
string
substitutions (en.wikipedia.org)
^{^}
DNS,
script, and URL lookups
(nakedsecurity.sophos.com)
^{^}
successful exploitation of the flaw
(sysdig.com)
^{^}
issue
(twitter.com)
^{^}
reported
(securitylab.github.com)
^{^}
updated
version (commons.apache.org)
^{^}
issuing an advisory
(lists.apache.org)
^{^}
said
(checkmarx.com)
^{^}
said
(www.wordfence.com)
^{^}
recommended
(www.rapid7.com)
^{^}
Maven
Repository (mvnrepository.com)
^{^}
CVE-2022-33980
(nvd.nist.gov)
^{^}
result
(snyk.io)

References

Leave a Reply Cancel reply