October 20, 2022 at 3:17 PM
A critical security hole affecting Apache Commons Text has been compared to the notorious Log4Shell vulnerability, but experts say it’s not as widespread.
Apache Commons Text is an open source Java library designed for working with strings. Alvaro Munoz, a researcher at GitHub’s Security Lab, discovered in March that the library is affected by an arbitrary code execution vulnerability related to untrusted data processing and variable interpolation.
The flaw, tracked as CVE-2022-42889, was patched by Apache Commons developers last week with the release of version 1.10.0.
Apache Commons Text is used by many developers and organizations, and some have rushed to describe CVE-2022-42889 as the next Log4Shell vulnerability. Log4Shell impacts the widely used Log4j Java logging framework and it has been exploited in many attacks since its disclosure nearly one year ago.
CVE-2022-42889 has been named Text4Shell and Act4Shell due to its similarity to Log4Shell, but many believe that while the vulnerability could be dangerous, it currently does not deserve a name and logo.
Rapid7 researchers have analyzed the vulnerability and determined that it should not be compared to Log4Shell.
“The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input,” they explained.
In addition, they tested it against various versions of JDK and their proof-of-concept (PoC) exploit only worked without warnings against versions 9.0.4, 10.0.2 and 1.8.0_341.
Sophos said the vulnerability is dangerous and described it as ‘like Log4Shell all over again’, but the company admitted that, for the time being, exploiting it on vulnerable servers is not as easy as in the case of the Log4j bug. Others have reached the same conclusion.
Apache Commons Text is an open source Java library designed for working with strings. Alvaro Munoz, a researcher at GitHub’s Security Lab, discovered in March that the library is affected by an arbitrary code execution vulnerability related to untrusted data processing and variable interpolation.
The flaw, tracked as CVE-2022-42889, was patched by Apache Commons developers last week with the release of version 1.10.0.
Apache Commons Text is used by many developers and organizations, and some have rushed to describe CVE-2022-42889 as the next Log4Shell vulnerability. Log4Shell impacts the widely used Log4j Java logging framework and it has been exploited in many attacks since its disclosure nearly one year ago.
CVE-2022-42889 has been named Text4Shell and Act4Shell due to its similarity to Log4Shell, but many believe that while the vulnerability could be dangerous, it currently does not deserve a name and logo.
Rapid7 researchers have analyzed the vulnerability and determined that it should not be compared to Log4Shell.
“The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input,” they explained.
In addition, they tested it against various versions of JDK and their proof-of-concept (PoC) exploit only worked without warnings against versions 9.0.4, 10.0.2 and 1.8.0_341.
Sophos said the vulnerability is dangerous and described it as ‘like Log4Shell all over again’, but the company admitted that, for the time being, exploiting it on vulnerable servers is not as easy as in the case of the Log4j bug. Others have reached the same conclusion.
