Is this the next Log4J? [297 words]
What: The Apache Foundation appears to have quietly fixed a critical remote code execution (RCE) in Apache Common Text versions 1.5 through 1.9. The vulnerability is being tracked as CVE-2022-42889. Proof of Concept code for the vulnerability is already available. NIST says the vulnerability is currently being analyzed so not all information on it is currently available.
The Apache Foundation recommends that impacted versions be upgraded to Apache Commons Text 1.10.0.
Here’s the official description
“Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers.”
Why it matters: Security researcher Kevin Beaumont has warned the new vulnerability could well be the next Log4Shell. “Apache Commons Text supports functions that allow code execution, in potentially user supplied text strings,” Beaumont noted. According to him, it appears that ${prefix:name} supports functions to execute code, do DNS lookups and retrieve URLs. “I’d add a lot of caution that for a webapp to be vulnerable, they’d have to be passing this along from external input.” The fixed version of the library appears to have been released weeks ago, but nobody documented the CVE.
GreyNoise said it is aware of PoC for the vulnerability as well as “libraries that are directly/indirectly dependent on org.apache.commons:commons-text “We have not yet determined if the vulnerable code path is reachable by user input at this time and are actively monitoring.”
Details:
