Researchers are on the lookout for a critical new vulnerability in Apache Commons Text

Researchers are on the lookout for a critical new vulnerability in Apache Commons Text

Researchers are closely monitoring a critical, newly discovered vulnerability in Apache Commons Text that gives unauthorized attackers a way to remotely execute code on servers running applications with the affected component.

mana (CVE-2022-42889) has been assigned a severity rating of 9.8 out of a possible 10.0 on the CVSS scale and exists in versions 1.5 through 1.9 of the Apache Commons Text. Proof-of-concept code for the vulnerability is already available, although so far there have been no signs of an exploit.

Updated version available

Apache Software Foundation (ASF) released an updated version software (Apache Commons Text 1.10.0) on September 24, but issued deficiency counseling just last thursday. In it, the Foundation described the bug as arising from insecure defaults when Apache Commons Text performs variable interpolation, which is basically the process of searching and evaluation of string values ​​in code which contain placeholders. “Beginning in version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers,” the advisory states.

NIST, meanwhile, urged users to upgrade to Apache Commons Text 1.10.0, saying, “disables problematic interpolators by default.”

ASF Apache describes the Commons Text library as a text handling addition to the standard Java Development Kit (JDK). Some 2,588 projects currently use the library, including some major ones such as Apache Hadoop Common, Spark Project Core, Apache Velocity, and Apache Commons Configuration, according to data in the Maven Central Java repository.

In today’s advisory, GitHub Security Lab said it is one of his pencil saws who discovered the bug and reported it to the security team at ASF in March.

Researchers who have tracked the bug so far have been cautious about assessing its potential impact. Well-known security researcher Kevin Beaumont wondered in a tweet on Monday whether the vulnerability could result in a potential Log4shell situation, referencing the infamous Log4j vulnerability from late last year.

“Apache Commons Text supports functions that allow code executionin text strings potentially supplied by the user,” Beaumont said. But to exploit it, an attacker would need to find web applications that use this feature that also accept user input, he said. “I’m not going to open MSPaint yet, unless anyone can find web apps that use this feature and allow user-supplied input to reach it,” he tweeted.

Proof of concept exacerbates the concern

Researchers at threat intelligence firm GreyNoise told Dark Reading that the company is aware that a PoC for CVE-2022-42889 has become available. According to them, the new vulnerability is almost identical to the ASF published in July 2022, which was also linked to variable interpolation in Commons Text. That vulnerability (CVE-2022-33980) was found in the Apache Commons configuration and had the same severity rating as the new flaw.

“We are aware of Proof-Of-Concept code for CVE-2022-42889 that may trigger the vulnerability in an intentionally vulnerable and controlled environment,” the GreyNoise researchers said. “We are not aware of any examples of widespread real-world applications using the Apache Commons Text library in a vulnerable configuration that would allow attackers to exploit the vulnerability using user-controlled data.”

GreyNoise continues to monitor any evidence of a “proof-of-practice” exploit, they added.

Jfrog Security said it is tracking the bug and so far it appears to be having an impact will be less widespread than Log4j. “New CVE-2022-42889 in Apache Commons text looks dangerous,” JFrog said in a tweet. “Only applications that pass attacker-controlled strings to-StringLookupFactory.INSTANCE.interpolatorStringLookup().lookup() appear to be affected,” it says.

The security maker said that people using Java version 15 and above should be safe from executing the code because script interpolation will not work. But other potential vectors for exploiting the flaw — via DNS and URLs — would still work, it noted.

#Researchers #lookout #critical #vulnerability #Apache #Commons #Text

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
سيتات آورج 2022 سيتات آورج 2022