In this advisory, we will address the core facts regarding the recently disclosed security vulnerability in the Apache Commons Text project, which has been informally nicknamed by some as “Text4Shell” or “Act4Shell,” how important it is to address quickly, how to respond, and how to better prepare for future vulnerabilities.
The Apache Commons Text team has announced a critical vulnerability in Apache Commons Text, a library focused on string-manipulation that is found in many Java applications.
The vulnerability has been informally nicknamed “Text4Shell” or “Act4Shell” by some observers (invoking the recent high-profile vulnerability that was dubbed Log4Shell), and has been logged in the National Vulnerability Database (NVD) as CVE-2022-42889.
From the Apache mailing list CVE notification:
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.
The vulnerability was originally reported by Alvaro Munoz, a researcher at GitHub Security Lab.
Apache Commons Text is a ubiquitous application development framework in modern applications, appearing in a large number of packaged and custom applications.
According to data tracked by Tidelift, impacted package org.apache.commons:commons-text has over 1,400 dependent packages in the Java language ecosystem and over 1,400 dependent software repositories on public code collaboration platforms.
In a blog post “CVE-2022-42889: interpolations that allow RCE disabled in Commons Text 1.10.0,” the Apache Security team notes that the risk profile is much less than the earlier Log4Shell vulnerability:
This issue is different from Log4Shell (CVE-2021-44228) because in Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input. In the Apache Common Text issue, the relevant method is explicitly intended and clearly documented to perform string interpolation, so it is much less likely that applications would inadvertently pass in untrusted input without proper validation.
Nevertheless, Tidelift recommends that organizations address the vulnerability in a timely manner.
What makes it so that people are sounding alarm bells for this particular issue is that it could allow for Remote Code Execution (RCE) in situations where untrusted input is passed to the apache-commons-text library. That means it could be possible to use this vulnerability to trigger arbitrary code execution on impacted systems, over a network.
This vulnerability has been assigned an NIST CVSS base score of 9.8 out of 10, or CRITICAL score.
Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. If you can’t upgrade, you can instead change the string interpolation defaults as described in the Apache Commons Text documentation.
More importantly, it is valuable to look at how your applications handle text strings from untrusted sources to ensure they are sanitized in all cases, not just ones being passed to Apache Commons Text library methods.
This vulnerability is an important reminder that organizations with an accurate and up-to-date software bill of materials (SBOM) are in a much better position to rapidly respond when serious issues like this one arise.
The Tidelift Subscription allows organizations to centrally manage a catalog of pre-vetted open source components that are approved for use across the organization, while allowing them to dynamically generate up to date SBOMs after every build. This makes it easy for an organization to quickly identify if the affected component is in use and where, so remediation can be handled in a timely and comprehensive manner.
In the case of this Apache Commons Text vulnerability, Tidelift customers were quickly alerted via the Tidelift Subscription. They received guidance on the upgrade path and mitigation procedures via a Tidelift catalog task for them to address.
To better prepare to react quickly to vulnerabilities like this in the future, Tidelift recommends organizations implement a proactive, people and software-based approach to managing the health and security of the open source software supply chain.
If you’d like to learn more about the Tidelift approach to proactively managing open source: