shorts
CVE-2022-42889: a critical vulnerability in Apache Commons Text library

CVE-2022-42889: a critical vulnerability in Apache Commons Text library

Oct 24, 2022
Sergey Chernyshev
2.7

CVE-2022-42889, also known as “Text4Shell”, is a public vulnerability found in the Apache Commons Text library (commons-text-1.9.jar) versions 1.5 through 1.9 and included into the Apache dev list on October 13, 2022.

Although the OpenJDK code is not affected by this vulnerability, we decided to publish a short notice since many Java developers use this library in production. Find out what it is about, whether your application is affected, and how to mitigate the risk of exploits.

Description

CVE-2022-42889 is nested in the StringSubstitutor class of the library, which performs variable interpolation. The standard interpolation format is “${prefix:name}”, where the prefix is a lookup performing interpolation. If the application uses some default lookups, namely “script”, “dns”, or “url”, they are interpolated by default due to a design flaw and allow for remote code execution or contact with untrusted remote servers when processing malicious input. Most requests are using the DNS prefix: a successful attempt will result in the victim site making a DNS query to the attacker-controlled listener domain.

Risk scope

Some compare Text4Shell to last year’s Log4Shell vulnerability as it affects an open-source library with a potentially wide extent of damage. But Apache Commons Text is less frequently used in an unsafe manner than Apache Log4j, so the probability of successful attacks is much lower. Nevertheless, the vulnerability was assigned a CVSS score of 9.8, which points to severe exploitability not extending beyond the vulnerable components. 

Mitigation 

The vulnerability was patched in Apache Commons Text version 1.10.0. It is recommended to upgrade the library as soon as possible to avoid any exploits. You should also check whether the framework you are using for your project utilizes the library.

This is how you can check for CVE-2022-42889:

  • Search for the library in .pom/.gradle file
  • Use scanners to scan for this or any other vulnerability
  • Analyze the libraries of the compiled project
  • Run docker scan to check whether your container images contain the vulnerability
announcements
Liberica JDK 8u412, 11.0.23, 17.0.11, 21.0.3, 22.0.1 builds are generally available
card image
Apr 17, 2024
Aleksei Voitylov
4.2

Download Liberica JDK CPU versions 8, 11, 17, 21, and 22 with improved security.

posts
What is CRaC? A guide to cutting Java startup and warmup from minutes to milliseconds
card image
Apr 11, 2024
Dmitry Chuyko
8.9

Find out about the Coordinated Restore at Checkpoint feature and how it may benefit your Java apps.

Subcribe to our newsletter

figure

Read the industry news, receive solutions to your problems, and find the ways to save money.

Further reading

posts
End of life for old TLS in OpenJDK and Liberica JDK
card image
Jun 3, 2021
Sergey Chernyshev
13.2

TLS 1.0 and TLS 1.1 are exploitable, so we deprecated them in Liberica JDK. Learn about the security vulnerabilities and solutions.

shorts
Critical vulnerabilities in OpenSSL 3.0
card image
Nov 11, 2022
Sergey Chernyshev
3.7

Find out about the newest CVEs discovered in OpenSSL 3.0 and how to eliminate the risk of exploits

posts
Vulnerability scanning for Java apps
card image
Dec 8, 2021
Sergey Chernyshev
13.6

Vulnerability scanners are useful tools when it comes to monitoring and eliminating security gaps at all production stages.

Sergey Chernyshev
Sergey Chernyshev | Senior Java Platform Engineer at BellSoft