A remote code execution vulnerability in the Apache Commons Text library has sparked comparisons with the ‘Log4Shell’ flaw that surfaced in the widely used open-source component Log4j last year.
Tracked as CVE-2022-42889, the Commons Text bug centers on an unsafe execution of the library’s variable interpolation functionality. The hacker can exploit the bug to trigger code execution when processing malicious input in the library’s default configuration.
The Rapid7 researchers who discovered and reported the Commons Text flaw in March have downplayed its comparative effect.
The susceptible StringSubstitutor interpolator is comparatively less utilized than the vulnerable string substitution in Log4j and the nature of such an interpolator means that getting crafted input to the vulnerable object is less likely than merely communicating with such a well-designed string as in Log4Shell.
“The vulnerability has been compared to Log4Shell since it is an open-source library-level vulnerability that is likely to impact a wide variety of software applications that use the relevant object. However, initial analysis indicates that this is a bad comparison.” reads the technical published by Rapid7 researchers. “The nature of the vulnerability means that, unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input.”
Apache’s security team also confirmed that the scope of the flaw is not as serious as Log4Shell, explaining that the string interpolation is a documented feature.
“The vulnerability is indeed very similar. The Apache Commons Text code appears to be based on the Log4j code, as both of them enable interpolation of multiple Lookup sources. Log4j enabled JNDI lookups [while] Apache Commons Text and Apache Commons Configuration allow script lookups – both could lead to RCE. The impact is, therefore, very high," the researchers explained.
Preventive measures
The Apache Commons Text versions are 1.5 through 1.9, and all JDK versions, and has been fixed in version 1.10. However, it is still recommended that users should upgrade Apache Commons Text to 1.10.0, which disables the problematic interpolators by default.
The users should install these patches as soon they become available, and prioritize anywhere the vendor indicates that their implementation may be remotely exploitable.