Are your applications safe?
As an engineering professional or undergraduate related to the IT industry you must have heard in the recent past there was a huge discussion on Log4j vulnerability in 2021 December onwards.
Almost a year after there is another major vulnerability found on 2022 October by Alvaro Munoz. This vulnerability is related to the Apache Commons Text and it’s rated at CVSS 9.8
However, the vulnerability is not like to be much impacted like Log4Shell.
“…affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.”
CVE-2022–42889 arises from the insecure implementation of Apache Commons Text’s variable interpolation functionality.
A dynamic variable handling vulnerability (CVE-2022–42889) allows an attacker to execute code on a server without logging in.
An interpolator is created by the StringSubstitutor.createInterpolator() method and will allow for string lookups as defined in the StringLookupFactory. This can be used by passing a string “${prefix:name}” where the prefix is the aforementioned lookup. So this allows an attacker to execute code on a server without logging in
However, the JFrog Security team noted that Java 15+ users are safe from code execution since the Nashorn engine was disabled, so ${script} interpolation won’t work. Other vectors (DNS, URL) will still work though.
Method of attacks
Remote access
A remote attack can be carried out via a data network connection or the like without accessing the target system itself.
Without user intervention
A silent attack targets the vulnerability directly without requiring any action from the system used for the attack to be successful. For example, the user does not have to browse web pages or start a program on the computer, but the attack is successful without the user’s help.
Without logging in
The attack does not require logging into the target system. The opposite is attacks that require the use of a username and password and, for example, the execution of commands while logged into the system.
An arbitrary command execution vulnerability should be considered serious because it means that an attacker can use the target system just like a normal user. It can also lead to the fact that an attacker who has broken into the system can download their own programs to the system via the network.
CVE-2022–42889 affects Apache Commons Text versions 1.5 through 1.9. The Apache team has patched the vulnerability and released the patch as of Commons Text version 1.10.
Vulnerable software
Apache Commons Text
from version 1.5 and earlier than version 1.10.0
Solution and limitation possibilities
Update Apache Commons Text to version 1.10.0.
You can find further details about apache common text vulnerability and many more vulnerability details below links.
