- Jul 27, 2015
Researchers are closely tracking a critical, newly disclosed vulnerability in Apache Commons Text that gives unauthenticated attackers a way to execute code remotely on servers running applications with the affected component.
The flaw (CVE-2022-42889) has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and exists in versions 1.5 through 1.9 of Apache Commons Text. Proof-of-concept code for the vulnerability is already available, though so far there has been no sign of exploit activity.
The Apache Software Foundation (ASF) released an updated version of the software (Apache Commons Text 1.10.0) on September 24 but issued an advisory on the flaw only last Thursday. In it, the Foundation described the flaw as stemming from insecure defaults when Apache Commons Text performs variable interpolation, which basically is the process of looking up and evaluating string values in code that contain placeholders. "Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers," the advisory said. NIST, meanwhile, urged users to upgrade to Apache Commons Text 1.10.0, which it said, "disables the problematic interpolators by default."
Researchers tracking the bug so far have been cautious in their assessment of its potential impact. Noted security researcher Kevin Beaumont wondered in a tweet on Monday if the vulnerability could result in a potential Log4shell situation, referring to the infamous Log4j vulnerability from late last year.
"Apache Commons Text supports functions that allow code execution, in potentially user supplied text strings," Beaumont said. But in order to exploit it, an attacker would need to find Web applications using this function that also accept user input, he said. "I won't be opening up MSPaint yet, unless anybody can find webapps that use this function and allow user supplied input to reach it," he tweeted.
There's nothing yet to suggest CVE-2022-42889 is the next Log4j. But proof-of-concept code is available, and interest appears to be ticking up.