Text4Shell or Log4Shell? Again!

Last week, more information appeared about the second version of the Log4Shell vulnerability, which was called Text4Shell.

CVE-2022-42889 — a critical vulnerability associated with unreliable data processing, and it can lead to RCE, but exploitation is possible only under certain circumstances.

Apache Commons Text is an open source Java library designed to work with strings. It is used by many developers and companies.

Vulnerability root cause

The component contains a mechanism for interpolating variables, that is, inserting values into a string based on processing data according to a template. The default template for this library is ${prefix:[options]:data}, where prefix defines the algorithm for processing data from options and data.

In the wild or not yet?

According to Defiant research team, a WordPress security company, attempts to exploit a new vulnerability in Apache Commons Text have already been noticed, but apparently, so far we are talking only about intelligence. Sophos researchers agree with the opinion of their colleagues and state that currently its use on vulnerable hosts is more difficult than Log4Shell.

How to fix vulnerabilities and what to do next?

The vendor has already published an official fix for the vulnerability, but not completely.

Research results and vulnerability analysis show that:

  • Apache Commons Text library remains vulnerable even after upgrading to version 1.10.0. It all depends on the system property specified in the application's environment;
  • Exploitation of the vulnerability of this library mainly depends on getting user input data to the input of vulnerable replace (replaceIn) functions of StringSubstitutor class. At the moment, for packages that include the Apache Commons Text, there is no public information that there is a direct channel for passing user data to vulnerable functions.

We suggest the following actions:

  • configure firewall filtering rules for the ${prefix:[options]:data} pattern;
  • Check if the specified package is present in your product. For example, use text4shell-tools
  • Subscribe to the latest news on this vulnerability and be always aware of the situation. You can now use the webhook wizard to set up automated notifications: