Apache vulnerability a risk, but not as widespread as Log4Shell
Security groups ought to be alert to the potential of compromise arising from a vulnerability in Apache Commons Text which will put many organisations in danger, but is unlikely to be as impactful as 2021’s Log4Shell vulnerability.
First disclosed on 13 October, and assigned CVE-2022-4288, the vulnerability arises from how Apache Commons Text – a widespread textual content manipulation toolkit providing additions to the usual Java Development Kit’s textual content dealing with – performs variable interpolation, additionally identified as string substitution.
The library incorporates a customary lookup format for interpolation, but variations 1.5 via 1.9 had been discovered to comprise another default lookups that might settle for untrusted enter from a distant attacker, resulting in distant code execution.
Version 1.10.0 of Apache Commons Text disables these problematic codecs by default, and customers are suggested to improve to this model instantly. Paul Ducklin of Sophos additionally advised users to sanitise their inputs by looking out and excluding probably harmful character sequences from the enter; to look their networks for Apache Commons Text software program they might not have identified that they had; and to maintain a watch open for breaking information of cyber assaults linked to the difficulty.
With the December 2021 Log4Shell incident – the exploitation of which stays widespread nearly 12 months on – nonetheless recent within the minds of safety professionals, it’s not shocking that some are already calling it Text4Shell.
And certainly, there are some similarities, as Rapid7’s Erick Galinkin pointed out. Most considerably, each are open supply library-level vulnerabilities that may impression a enormous variety of software program purposes through which they’re used.
“However, initial analysis indicates that this is a bad comparison,” wrote Galinkin. “The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input.”
Furthermore, he added, having examined a proof-of-concept exploit in opposition to a number of JDK variations, the Rapid7 group had reported various ranges of success.
“There are significant caveats to practical exploitability for CVE-2022-42889,” wrote Galinkin. “With that said, we still recommend patching any relevant impacted software according to your normal, hair-not-on-fire patch cycle.”
However, Sophos Threat Research senior supervisor Christopher Budd additionally suggested safety groups not to panic unduly.
“Log4J is a widely used Java library, and any web server running the vulnerable version could have been easily exploited while the Common Text library isn’t as prevalent,” he mentioned.
“Additionally, Log4J could be exploited with generic code whereas this new vulnerability doubtless requires code that’s particular and focused. Finally, most purposes will not be passing unsanitised, user-provided values to the library’s susceptible capabilities, decreasing or negating the exploitation dangers.
“Sophos X-Ops is not currently seeing attacks exploiting CVE-2022-42889 in the wild, but will continue monitoring,” mentioned Budd.
