Advisory on CVE-2022-42889, Named “Text4Shell”

Summary

A new critical vulnerability on the very popular Apache Commons Text library reported and tracked as CVE-2022-42889, named Text4Shell. The vulnerability affects the StringSubstitutor interpolator class which allows for string lookups leading to Remote Code Execution.
 
Category: Vulnerability Intelligence Vulnerability Class: Remote Code Execution CVE ID: CVE-2022-42889 CVSS:3.0 Score: 9.8

Executive Summary

THREAT IMPACT MITIGATION
  • A new critical vulnerability on the very popular Apache Commons Text library reported and tracked as CVE-2022-42889, named Text4Shell.
  • The vulnerability affects the StringSubstitutor interpolator class which allows for string lookups leading to Remote Code Execution.
  • Due to the high potential for abuse and easy exploitability in terms of availability, confidentiality, and integrity, the severity is Critical.
  • Patch to the most recent version(v1.10) to reduce vulnerabilities
  • Use scanners to see if you are impacted, to be safe.

Analysis

The Research Team at CloudSEK has created a brief report on the Text4Shell vulnerability.

The Technical Analysis of CVE-2022-42889

A Java library called Apache Commons Text is referred to as “a library focused on algorithms working on strings.” It can be viewed as a toolkit for text manipulation in general.
  • The StringSubstitutor interpolator class, which is part of the Commons Text library, is vulnerable to a flaw found in Apache Commons Text packages 1.5 and continuing through 1.9.
  • String lookups with a default interpolator are possible and may result in Remote Code Execution.
  • Due to a logical error, the "script," "dns," and "url" lookup keys are interpolated by default, instead of how they should be, as stated in the StringLookupFactory class documentation.
  • These keys enable an attacker to run any code by using lookups.
  • The vulnerable web application exposes a search API in which the Commons Text StringSubstitutor is used to interpolate the query: http://web.app/text4shell/attack?search=<query>
  • The vulnerability could be exploited to launch a reverse shell with the payload described as follows:
  • This payload's "$prefix:name" component initiates the String Lookup. "Script," "dns," and "url" are the keys that can be used as the prefix to exploit the vulnerability, as mentioned earlier.
  • The lookup has a number of fields which it tries to identify:

Conclusion

In light of Log4shell, this vulnerability might result in some panic. Although it is less frequently used in the wild, and requires specific implementation for exploitation to be viable, it is still a significant vulnerability because it is widely used, is simple to exploit and has a big impact. It is crucial to check code for vulnerabilities.

Impact & Mitigation

Impact Mitigation
  • When considering the vulnerable part, the use of the Apache Commons Text library increases the risk of exploitation.
  • Exploitation is only possible if the StringSubstitutor object is implemented with some user-controlled input.
  • Take necessary actions to reduce the vulnerability and continue the running-time monitoring of your infrastructure and applications.

References

 

Table of Contents

Request an easy and customized demo for free