Apache Common Text RCE

Introduction:

A new remote code vulnerability CVE-2022-42889 in the open source Apache Common Text Library, commonly referred to as ‘text4shell’, is a critical severity vulnerability. It is reminiscent, at its technical core, of the now infamous Log4Shell vulnerability – by processing values in a way that would allow invoking internal functionalities, which could, in turn, result in execution of arbitrary malicious code.

Apache Commons Text is a low-level library used for various text operations, including calculating string differences, escaping as well as substituting placeholders in text.

In the Apache Commons Text, there is a feature that expands the text with lookups. Functions like replacing a string will call the vulnerable lookup function. This functionality is an implementation of a very basic expression language, which allows invoking several methods from within the interpolated string.

Attack Process:

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers.

These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.

Affected version:

Apache Commons Text versions 1.5 through 1.9, and all JDK versions.

Impact:

Some experts compared it to Log4Shell since it is an open-source library-level vulnerability that is likely to impact a wide variety of software applications that use the relevant object. However, initial analysis indicates that this is a bad comparison. The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input.

Remediation:

Necessary steps to ensure applications are protected against this vulnerability, as outlined below:

 

  • The fix applied by the Apache team was the removal of the dns, script, and url lookups from the default interpolator behavior. In the StringLookupFactory.createDefaultStringLookups() method the DefaultStringLookup.DNS, DefaultStringLookup.URL and DefaultStringLookup.SCRIPT are now not added by default. In the previous versions, all the DefaultStringLookup instances were added by default.Apache Commons Text versions 1.5 through 1.9, and all JDK versions,

 

  • Wherever you accept and process untrusted data, especially in Java code, where string interpolation is widely supported and offered as a “feature” in many third-party libraries, make sure you look for and filter out potentially dangerous character sequences from the input first, or take care not to pass that data into string interpolation functions.

 

  • The Apache Commons Text software should be upgraded to version 1.10+.

 

  • CyberSRC Consultancy recommends that developers and maintainers watch out for follow-on vendor advisories, install “patches as they become available, and prioritize anywhere the vendor indicates that their implementation may be remotely exploitable”.