- CVE-2022-42889 affects Apache Commons Text versions 1.5 through 1.9 and it has been patched since version 1.10.
- Systems are only vulnerable if they are using when this software uses the StringSubstituror API without properly sanitizing any untrusted input.
- Since Commons Text is a library, the specific usage of the interpolator will dictate the impact of this vulnerability.
People are worried about a remote code execution found in the open-source Apache Commons Text library and claim that it could turn into the next Log4Shell, however cybersecurity experts disagree. The vulnerability, CVE-2022-42889, affects Apache Commons Text versions 1.5 through 1.9 and it has been patched as of Commons Text version 1.10.
Cybersecurity company Rapid7 published a report about the vulnerability titled “Keep Calm and Stop Saying 4Shell” explaining the details. Rapid7 stated that since it is an open-source library-level vulnerability, some people started comparing the vulnerability with the notorious Log4Shell vulnerability. Researchers at Rapid7 said,
« The vulnerability has been compared to Log4Shell since it is an open-source library-level vulnerability that is likely to impact a wide variety of software applications that use the relevant object. However, initial analysis indicates that this is a bad comparison. The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input.
In summary, much like with Spring4Shell, there are significant caveats to practical exploitability for CVE-2022-42889. With that said, we still recommend patching any relevant impacted software according to your normal, hair-not-on-fire patch cycle. »
Apache Security Team also published a post and stated that the vulnerability is not as serious as Log4Shell. The team stated that string interpolation is a documented feature, thus, it is much less likely that applications would inadvertently pass in untrusted input without proper validation. Apache Security Team said,
« If you rely on software that uses a version of commons-text prior to 1.10.0, you are likely still not vulnerable: you are only affected when this software uses the StringSubstitutor API without properly sanitizing any untrusted input.
If your own software uses commons-text, double-check whether it uses the StringSubstitutor API without properly sanitizing any untrusted input. If so, an update to 1.10.0 could be a quick workaround, but the recommended solution is to also properly validate and sanitize any untrusted input. »
The vulnerability was unpatched for seven months but there are no reports of exploitation attempts, even after exploits were released. Still, experts are urging developers to upgrade the version to 1.10 or later to prevent possible attacks. Apache team said,
« For that reason the Apache Commons Text team have decided to update the configuration to be more “secure by default”, so that the impact of a failure to validate inputs is mitigated and will not give an attacker access to these interpolators. However, it is still recommended that users treat untrusted input with care. »