CVE-2022-42889 a.k.a Text4Shell: The Problem & The Solutions 

Avatar photo
Author
Updated: December 5th, 2024
3 mins read
CVE-2022-42889 Text4Shell

CVE-2022-42889 or the Text4Shell, is a security vulnerability in the Apache Commons Text library. It can lead to unsafe script evaluation and arbitrary code execution by manipulating a string interpolation functionality.

The name Text4Shell instantly invokes memories of Log4Shell (CVE-2021-44228) vulnerability. Although Text4Shell (CVE-2022-42889) is not nearly as widespread or severe, it can be impactful in some situations.

When Was It Discovered?

The Text4Shell or Act4Shell vulnerability was first discovered by Alvaro Muñoz, a researcher at GitHub Security Labs in March 2022. The Apache Dev List announced the vulnerability on Oct 13, 2022.

CVE-2020-42889: Technical Breakdown

How Does The Text4Shell Vulnerability Work?

The Apache Commons Text library contains string-related utilities and packages, such as calculating string differences or similarities, translating, etc. One of the objects included in the library is a StringSubstitutor Interpolator. It is a String Lookup functionality that allows you to evaluate and retrieve input strings.

The standard format for interpolation is ‘${prefix: name},’ where ‘prefix’ means various Lookup instances like “script,” “DNS,” and “URLs” that are used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation.

For Example:

${script:javascript_code} may trigger a script lookup to execute JavaScript code.

Attackers can exploit these instances by injecting malicious payloads like the one below to obtain Remote Code Execution (RCE).

${script:java.lang.Runtime.getRuntime().exec(’calc.exe)’} to open the calculator app on Windows

or

${url:<https://malicous.website>}

which triggers the fetching of an external resource and gives rise to a series of vulnerabilities.

What is The Potential Impact of Text4Shell?

Remote Code Execution

Attackers can exploit the weakness in the interpolation feature to execute arbitrary commands on the vulnerable system, compromising the overall security of the host environment and potentially gaining complete access.

Sensitive Data Exposure

Attackers can use the DNS or URL lookup instances to extract sensitive information like the configuration details and send it to servers they control.

Network Intrusion

After successfully exploiting the vulnerability, attackers can gain unauthorized access to the network’s internal resources and can move laterally, escalate their privileges, and compromise any other systems in this network.

The Comparison With Log4Shell

Even though both Log4Shell and Text4Shell are library-oriented CVEs, their comparison is a little far-fetched. Firstly, the log4j library is used at a much wider scale than the Commons Text library. Secondly,  the vulnerable interpolation method is rarely used in open-source programs and hardly any of them parse user-controlled inputs.

What Is The Current Status?

CVE-2022-42889 exists in the StringSubstitutor Interpolator object in versions 1.5 through 1.9 of the Apache Commons Text library, and it has a CVSS score of 9.8 out of 10.0. 

Apache Commons Text released a patch in version 1.10.

The Text4Shell can be exploited through JEXL engines on JDK versions 1.8.0_341, 9.0.4, 10.0.2, 11.0.16.1, 12.0.2, 13.0.2, 14.0.2. The exploitation failed on versions 15.0.2, 16.0.2, 17.0.4.1, 18.0.2.1, 19

What Can You Do?

If you have dependencies on the Apache Commons Text library, you should ensure that you update to version 1.10 in order to avoid the Text4Shell vulnerability. Employ strict input validation on user-controlled or external data that the StringSubstitutor processes. Perform a code review to check for unsafe use of the StringSubstituor class and interpolation patterns that involve user-supplied data.

Astra’s automated scanner detects the Text4Shell vulnerability and offers step-by-step guidelines to fix it.

Final Thoughts

In theory, the Text4Shell vulnerability can wreak havoc on your network, and it is better to have it fixed as soon as possible. Overall, it is not as potent a threat as the log4shell simply because of the limited usage of the affected library. 

If you have any questions regarding this or if you’d like to discuss your security in general, Talk to an expert.