CVE-2022-42889, also known as “Text4Shell”, is a public vulnerability found in the Apache Commons Text library (commons-text-1.9.jar) versions 1.5 through 1.9 and included into the Apache dev list on October 13, 2022.
Although the OpenJDK code is not affected by this vulnerability, we decided to publish a short notice since many Java developers use this library in production. Find out what it is about, whether your application is affected, and how to mitigate the risk of exploits.
Description
CVE-2022-42889 is nested in the StringSubstitutor class of the library, which performs variable interpolation. The standard interpolation format is “${prefix:name}”, where the prefix is a lookup performing interpolation. If the application uses some default lookups, namely “script”, “dns”, or “url”, they are interpolated by default due to a design flaw and allow for remote code execution or contact with untrusted remote servers when processing malicious input. Most requests are using the DNS prefix: a successful attempt will result in the victim site making a DNS query to the attacker-controlled listener domain.
Risk scope
Some compare Text4Shell to last year’s Log4Shell vulnerability as it affects an open-source library with a potentially wide extent of damage. But Apache Commons Text is less frequently used in an unsafe manner than Apache Log4j, so the probability of successful attacks is much lower. Nevertheless, the vulnerability was assigned a CVSS score of 9.8, which points to severe exploitability not extending beyond the vulnerable components.
Mitigation
The vulnerability was patched in Apache Commons Text version 1.10.0. It is recommended to upgrade the library as soon as possible to avoid any exploits. You should also check whether the framework you are using for your project utilizes the library.
This is how you can check for CVE-2022-42889:
- Search for the library in .pom/.gradle file
- Use scanners to scan for this or any other vulnerability
- Analyze the libraries of the compiled project
- Run
docker scan
to check whether your container images contain the vulnerability