New text2shell RCE vulnerability in Apache Common Texts CVE-2022-42889

Yet another RCE with a CVSS score of 9.8 out of 10 was disclosed a few hours ago. This issue looks like the same Log4shell and it seems even more dangerous since Common Texts are used more broadly.

The Apache Foundation published a vulnerability in the Apache Commons Text project code and published a message to this effect in the project's mailing list on October 13th, an official date of birth of Text4Shell vulnerability.

This is an SSTI, Server-Side Template Injection issue with a payload that looks really similar to Log4Shell:

${script:javascript:java.lang.Run.Runtime.getRuntime().exec("cat /etc/shadow");}

As you can see, the macros Injection, or a template starts with ${ allows an attackers to inject arbitrary code by calling different Java class methods.

Wallarm Security Team recommends instantly updating the vulnerable library. The priority action is to update Apache Commons Text to version 1.10.0, via the usual package managers or a direct download from <https://commons.apache.org/proper/commons-text/download_text.cgi&gt;.

All Wallarm API security and WAAP customers already got protection against CVE-2022-42889 while using the product in a blocking mode.

WAF signatures are not effective against CVE-2022-42889 due to many possible obfuscations in template injection syntaxes and using different gadgets and gadgets chains of Java objects by attackers.

References: <https://nvd.nist.gov/vuln/detail/CVE-2022-42889#vulnCurrentDescriptionTitle&gt;

The post New text2shell RCE vulnerability in Apache Common Texts CVE-2022-42889 appeared first on Wallarm.