Apache Commons Text CVE-2022-42889 Vulnerability Exploitation Explained

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On October 13, 2022, a remote code execution vulnerability affecting Apache Commons Text library was reported, and it has a CVSS score of 9.8 Critical [1]. In insecure implementations of Apache Commons Text, the CVE-2022-42889 vulnerability allows an unauthenticated attacker to execute arbitrary commands via untrusted inputs such as DNS requests and URLs.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Which Apache Commons Text Versions Are Affected by the CVE-2022-42889 Vulnerability?

Developers of the Apache Commons Text library have confirmed that versions 1.5 and continuing through 1.9 are affected by the CVE-2022-42889 vulnerability [2]. However, the exploitability of the vulnerability depends also on the JDK version.

JDK versions required for CVE-2022-42889 vulnerability exploitation

1.8.0_341

10.0.2

12.0.2

14.0.2

9.0.4

11.0.16.1

13.0.2

 

What is the Impact of CVE-2022-42889 Vulnerability?

The CVE-2022-42889 vulnerability allows unauthenticated attackers to execute arbitrary commands in products that have dependencies on Apache Commons Text library. Due to its similarity to Log4Shell vulnerability, many security professionals named the vulnerability as Text4Shell. However, the vulnerable function in the Apache Commons Text library is not used as widely, and exploiting it is not as easy as the Log4Shell vulnerability. Thus, the impact of the CVE-2022-42889 vulnerability is estimated to be similar to Spring4Shell vulnerability.

The CVSS score of the vulnerability is 9.8 Critical.

How to Mitigate CVE-2022-42889 Vulnerability?

The developers of the Apache Commons Text library recommend users upgrade to version 1.10.0. Since this is a library vulnerability, it may not be possible to patch or identify all products in organizations' environments. Security teams should update the products and services as vendors provide updates. In the meantime, any external inputs used with the Commons-Text lookup methods are sanitized properly to avoid any potentially risky situations.

CVE-2022-42889 Vulnerability Exploitation Explained

The CVE-2022-42889 vulnerability is a Server-Side Template Injection (SSTI) vulnerability that allows unauthenticated attackers to run commands in the vulnerable services remotely.

The SSTI vulnerability is found in the StringSubstitutor interpolator object. The default interpolator  "StringSubstitutor.createInterpolator()" can perform string lookups by passing a string in "${prefix:name}". However, adversaries may exploit this function via maliciously crafted strings and execute arbitrary scripts.

final StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
String out = interpolator.replace("${script:javascript:java.lang.Runtime.getRuntime().exec('cat /etc/passwd')}");
System.out.println(out);

Example 1: CVE-2022-42889 Remote Code Execution Vulnerability Exploitation [1]

How Picus Helps Simulate Apache Commons Text CVE-2022-42889 Unauthenticated Remote Code Execution Exploits?

We also strongly suggest simulating Apache Commons Text CVE-2022-42889 unauthenticated remote code execution vulnerability exploitation attacks to assess the effectiveness of your security controls using the Picus Complete Security Control Validation Platform. You can test your defenses against the CVE-2022-42889 vulnerability exploitation attacks and assess your security posture against the exploitation of hundreds of commonly exploited vulnerabilities within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threat for CVE-2022-42889 vulnerability: 

Threat ID

Threat Name

37799

Apache Commons Web Attack Campaign

References

[1] “GHSL-2022-018: Arbitrary Code Execution in Apache Commons Text - CVE-2022-42889,” GitHub Security Lab, Oct. 17, 2022. [Online]. Available: https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/. [Accessed: Oct. 18, 2022]

[2] “[No title].” [Online]. Available: https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om. [Accessed: Oct. 18, 2022]