Researchers are closely tracking a critical, newly disclosed vulnerability in Apache Commons Text that gives unauthenticated attackers a way to execute code remotely on servers running applications with the affected component.
The flaw (CVE-2022-42889) has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and exists in versions 1.5 through 1.9 of Apache Commons Text. Proof-of-concept code for the vulnerability is already available, though so far there has been no sign of exploit activity.
Updated Version Available
The Apache Software Foundation (ASF) released an updated version of the software (Apache Commons Text 1.10.0) on September 24 but issued an advisory on the flaw only last Thursday. In it, the Foundation described the flaw as stemming from insecure defaults when Apache Commons Text performs variable interpolation, which basically is the process of looking up and evaluating string values in code that contain placeholders. "Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers," the advisory said.
NIST, meanwhile, urged users to upgrade to Apache Commons Text 1.10.0, which it said, "disables the problematic interpolators by default."
The ASF Apache describes the Commons Text library as providing additions to the standard Java Development Kit's (JDK) text handling. Some 2,588 projects currently use the library, including some major ones such as Apache Hadoop Common, Spark Project Core, Apache Velocity, and Apache Commons Configuration, according to data in the Maven Central Java repository.
In an advisory today, GitHub Security Lab said it was one of its pen testers that had discovered the bug and reported it to the security team at ASF in March.
Researchers tracking the bug so far have been cautious in their assessment of its potential impact. Noted security researcher Kevin Beaumont wondered in a tweet on Monday if the vulnerability could result in a potential Log4shell situation, referring to the infamous Log4j vulnerability from late last year.
"Apache Commons Text supports functions that allow code execution, in potentially user supplied text strings," Beaumont said. But in order to exploit it, an attacker would need to find Web applications using this function that also accept user input, he said. "I won't be opening up MSPaint yet, unless anybody can find webapps that use this function and allow user supplied input to reach it," he tweeted.
Proof-of-Concept Exacerbates Concerns
Researchers from threat intelligence firm GreyNoise told Dark Reading the company was aware of PoC for CVE-2022-42889 becoming available. According to them, the new vulnerability is nearly identical to one ASF announced in July 2022 that also was associated with variable interpolation in Commons Text. That vulnerability (CVE-2022-33980) was found in Apache Commons Configuration and had the same severity rating as the new flaw.
"We are aware of Proof-Of-Concept code for CVE-2022-42889 that can trigger the vulnerability in an intentionally vulnerable and controlled environment," GreyNoise researchers say. "We are not aware of any examples of widely deployed real-world applications utilizing the Apache Commons Text library in a vulnerable configuration that would allow attackers to exploit the vulnerability with user-controlled data."
GreyNoise is continuing to monitor for any evidence of "proof-in-practice" exploit activity, they added.
Jfrog Security said it is monitoring the bug and so far, it appears likely that the impact will be less widespread than Log4j. "New CVE-2022-42889 in Apache Commons Text looks dangerous," JFrog said in a tweet. "Seems to only affect apps that pass attacker-controlled strings to-StringLookupFactory.INSTANCE.interpolatorStringLookup().lookup()," it said.
The security vendor said people using Java version 15 and later should be safe from code execution since script interpolation won't work. But other potential vectors for exploiting the flaw — via DNS and URL — would still work, it noted.