HQ/EMEAFind out how we can help your business
The open-source Apache Commons Text library has shown a vulnerability that could allow attackers to acquire remote code execution. Some individuals expressed concerns about the newly discovered flaws since they could evolve into the following Log4Shell vulnerability. However, experts claim it is far from the following critical flaw that could threaten many entities.
The Apache Commons Text feature is a well-known open-source Java archive with a system that enables developers to generate, modify, decode, and escape strings based on the filled string lookups.
Researchers dubbed the new Apache Commons Text flaw as Text4Shell.
According to analysts, the Apache Commons Text flaw is tracked as CVE-2022-42889 and called Text4Shell. This flaw is from a dangerous script evaluation by the interpolation system, which could activate code execution when processing malicious input in a default configuration.
Apache’s developers explained that starting from version 1.5 to 1.9, the set of default Lookups contains interpolators that could end in arbitrary code execution with remote servers.
Moreover, apps using the interpolation defaults in the compromised versions may be prone to accidental contact with remote servers if an individual uses unwanted configuration values.
Currently, developers at Apache urge users to upgrade their Commons Text version to 1.10.0. This version deactivates the interpolators automatically. Unfortunately, it took the developers about seven months to develop a fix in the open-source library. The release of patch 1.10.0 came earlier this month. Hence, there was a substantial amount of time when the flaw was accessible to anyone.
Some individuals are worried that the flaw could cause massive damage since the widespread deployment of the defect and its impact date back to 2018.
Fortunately, recent research has stopped these concerns because it showed that not all versions from 1.5 to 1.9 are fully vulnerable to the flaw. Moreover, the exploit was potentially connected to the JDK version.
As of now, cybersecurity experts are reminding everyone that the threat is not severe as the Log4j vulnerability. Therefore, users are urged to wait for more improved PoCs and remedies to the recently discovered exploit.
