Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Critical Apache Commons Text Flaw Compared to Log4Shell, But Not as Widespread

A critical security hole affecting Apache Commons Text has been compared to the notorious Log4Shell vulnerability, but experts say it’s not as widespread.

A critical security hole affecting Apache Commons Text has been compared to the notorious Log4Shell vulnerability, but experts say it’s not as widespread.

Apache Commons Text is an open source Java library designed for working with strings. Alvaro Munoz, a researcher at GitHub’s Security Lab, discovered in March that the library is affected by an arbitrary code execution vulnerability related to untrusted data processing and variable interpolation.

The flaw, tracked as CVE-2022-42889, was patched by Apache Commons developers last week with the release of version 1.10.0.

Apache Commons Text is used by many developers and organizations, and some have rushed to describe CVE-2022-42889 as the next Log4Shell vulnerability. Log4Shell impacts the widely used Log4j Java logging framework and it has been exploited in many attacks since its disclosure nearly one year ago.

CVE-2022-42889 has been named Text4Shell and Act4Shell due to its similarity to Log4Shell, but many believe that while the vulnerability could be dangerous, it currently does not deserve a name and logo.

Rapid7 researchers have analyzed the vulnerability and determined that it should not be compared to Log4Shell.

“The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input,” they explained.

Advertisement. Scroll to continue reading.

In addition, they tested it against various versions of JDK and their proof-of-concept (PoC) exploit only worked without warnings against versions 9.0.4, 10.0.2 and 1.8.0_341.

Sophos said the vulnerability is dangerous and described it as ‘like Log4Shell all over again’, but the company admitted that, for the time being, exploiting it on vulnerable servers is not as easy as in the case of the Log4j bug. Others have reached the same conclusion.

Text4Shell, Act4Shell, CVE-2022-42889

Researcher Sean Wright also believes CVE-2022-42889 is not like Log4Shell, pointing out that Commons Text is not as widely used as Log4j.

Munoz himself also clarified that regardless of the similarities to Log4Shell, the new vulnerability is likely far less prevalent.

While CVE-2022-42889 will likely not end up being exploited at the scale of Log4Shell, organizations are still advised to address the vulnerability, particularly since PoC code is publicly available. Sophos has shared some recommendations for potentially impacted organizations.

Related: Recently Patched Apache HTTP Server Vulnerability Exploited in Attacks

Related: High-Severity Vulnerability Found in Apache Database System Used by Major Firms

Related: Over 100,000 Apache HTTP Servers Affected by Actively Exploited Zero-Day Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.