CVE-2022-42889 or the Text4Shell, is a security vulnerability in the Apache Commons Text library. It can lead to unsafe script evaluation and arbitrary code execution by manipulating a string interpolation functionality.<\/p>\n\n\n\n
The name Text4Shell instantly invokes memories of Log4Shell (CVE-2021-44228<\/a>) vulnerability. Although Text4Shell (CVE-2022-42889<\/a>) is not nearly as widespread or severe, it can be impactful in some situations.<\/p>\n\n\n\n The Text4Shell or Act4Shell vulnerability was first discovered by Alvaro Mu\u00f1oz, a researcher at GitHub Security Labs in March 2022. The Apache Dev List announced the vulnerability on Oct 13, 2022.<\/p>\n\n\n\n The Apache Commons Text library contains string-related utilities and packages, such as calculating string differences or similarities, translating, etc. One of the objects included in the library is a StringSubstitutor Interpolator. It is a String Lookup functionality that allows you to evaluate and retrieve input strings.<\/p>\n\n\n\n The standard format for interpolation is \u2018 For Example:<\/p>\n\n\n\n Attackers can exploit these instances by injecting malicious payloads like the one below to obtain Remote Code Execution (RCE).<\/p>\n\n\n\n or<\/p>\n\n\n\n which triggers the fetching of an external resource and gives rise to a series of vulnerabilities.<\/p>\n\n\n\n Attackers can exploit the weakness in the interpolation feature to execute arbitrary commands on the vulnerable system, compromising the overall security of the host environment and potentially gaining complete access.<\/p>\n\n\n\n Attackers can use the DNS or URL lookup instances to extract sensitive information like the configuration details and send it to servers they control.<\/p>\n\n\n\n After successfully exploiting the vulnerability, attackers can gain unauthorized access to the network\u2019s internal resources and can move laterally, escalate their privileges, and compromise any other systems in this network.<\/p>\n\n\n\n Even though both Log4Shell<\/a> and Text4Shell are library-oriented CVEs, their comparison is a little far-fetched. Firstly, the log4j library is used at a much wider scale than the Commons Text library. Secondly,\u00a0 the vulnerable interpolation method is rarely used in open-source programs and hardly any of them parse user-controlled inputs.<\/p>\n\n\n\n CVE-2022-42889 exists in the StringSubstitutor Interpolator object in versions 1.5 through 1.9 of the Apache Commons Text library, and it has a CVSS score of 9.8 out of 10.0. <\/p>\n\n\n\n Apache Commons Text released a patch in version 1.10.<\/p>\n\n\n\n The Text4Shell can be exploited through JEXL engines on JDK versions 1.8.0_341, 9.0.4, 10.0.2, 11.0.16.1, 12.0.2, 13.0.2, 14.0.2. The exploitation failed on versions 15.0.2, 16.0.2, 17.0.4.1, 18.0.2.1, 19<\/p>\n\n\n\n If you have dependencies on the Apache Commons Text library, you should ensure that you update to version 1.10 in order to avoid the Text4Shell vulnerability. Employ strict input validation on user-controlled or external data that the StringSubstitutor processes. Perform a code review to check for unsafe use of the StringSubstituor class and interpolation patterns that involve user-supplied data.<\/p>\n\n\n\n In theory, the Text4Shell vulnerability can wreak havoc on your network, and it is better to have it fixed as soon as possible. Overall, it is not as potent a threat as the log4shell simply because of the limited usage of the affected library.\u00a0<\/p>\n\n\n\n If you have any questions regarding this or if you\u2019d like to discuss your security in general, Talk to an expert.<\/a><\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" CVE-2022-42889 or the Text4Shell, is a security vulnerability in the Apache Commons Text library. It can lead to unsafe script evaluation and arbitrary code execution by manipulating a string interpolation functionality. The name Text4Shell instantly invokes memories of Log4Shell (CVE-2021-44228) vulnerability. Although Text4Shell (CVE-2022-42889) is not nearly as widespread or severe, it can be impactful … Read more<\/a><\/p>\n","protected":false},"author":103,"featured_media":36013,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[340],"tags":[],"class_list":["post-23262","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-audit"],"_links":{"self":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/23262","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/users\/103"}],"replies":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/comments?post=23262"}],"version-history":[{"count":6,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/23262\/revisions"}],"predecessor-version":[{"id":36016,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/23262\/revisions\/36016"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media\/36013"}],"wp:attachment":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media?parent=23262"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/categories?post=23262"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/tags?post=23262"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/span>When Was It Discovered?<\/span><\/h2>\n\n\n\n
<\/span>CVE-2020-42889: Technical Breakdown<\/strong><\/span><\/h2>\n\n\n\n
How Does The Text4Shell Vulnerability Work?<\/strong><\/h3>\n\n\n\n
${prefix: name}<\/strong><\/code>,\u2019 where \u2018prefix\u2019 means various Lookup instances like \u201cscript,\u201d \u201cDNS,\u201d and \u201cURLs\u201d that are used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation.<\/p>\n\n\n\n${script:javascript_code}<\/strong><\/code> may trigger a script lookup to execute JavaScript code.<\/p>\n\n\n\n${script:java.lang.Runtime.getRuntime().exec(\u2019calc.exe)\u2019}<\/strong><\/code> to open the calculator app on Windows<\/p>\n\n\n\n${url:<https:\/\/malicous.website>}<\/strong><\/code><\/p>\n\n\n\n<\/span>What is The Potential Impact of Text4Shell?<\/strong><\/span><\/h2>\n\n\n\n
Remote Code Execution<\/strong><\/h3>\n\n\n\n
Sensitive Data Exposure<\/strong><\/h3>\n\n\n\n
Network Intrusion<\/strong><\/h3>\n\n\n\n
<\/span>The Comparison With Log4Shell<\/span><\/h2>\n\n\n\n
<\/span>What Is The Current Status?<\/strong><\/span><\/h2>\n\n\n\n
<\/span>What Can You Do?<\/span><\/h2>\n\n\n\n
Astra\u2019s automated scanner detects the Text4Shell vulnerability and offers step-by-step guidelines to fix it.<\/strong><\/h4>\n\n\n\n\n\n
<\/span>Final Thoughts<\/strong><\/span><\/h2>\n\n\n\n