Shellshock, Heartbleed and now TEXT4SHELL. The list of critical security vulnerabilities seems to be growing daily, and it can be hard to track them all. TEXT4SHELL is a vulnerability that allows attackers to execute shell commands without authentication. This means anyone with access to your computer could run any command they want. What can you do to protect yourself from TEXT4SHELL?
Summary:
A new critical vulnerability, CVE-2022-42889, has been discovered by a GitHub Security Lab researcher. This vulnerability is now known as “Text4Shell”. CVE-2022042889 results from code execution in the well-known Java library “Apache Commons Text Library” while processing malicious input. Apache Common Text is a library used in Java that focuses on algorithms for manipulating strings. This vulnerability has a severity level of 9.8 (CVSS:3). Remote Code Execution (RCE) allows an attacker to execute arbitrary code or commands on affected hosts and could lead to a complete compromise in certain situations.
Impact:
The Apache Commons text library CVE-2022-42889 vulnerability is a serious issue that can potentially impact systems’ confidentiality, integrity, and availability. This vulnerability is probably not old log4shell and spring4shell. Looking at the vulnerable components, the likelihood of exploitation is related to using the Apache Commons text library. In particular, it is possible to exploit it only if it implements a StringSubstitutor object with some user-controlled input. This implementation in production is less typical than the vulnerable string substitution in Log4J. However, it is still possible for systems to be impacted. Users should ensure that their systems are not vulnerable to this issue.
It should not be something that should trigger a fire drill at your org, but it must be fixed in the next release cycle!
Detection and Mitigation:
CVE-2022-42889 is a text4shell vulnerability that an attacker can exploit to take control of the affected system. This vulnerability can be detected during the build, deployment, and runtime detection phases. Mitigation measures include updating the application to version 1.10 and using a runtime detection engine such as Falco to detect post-exploitation behaviors. If you’re affected by CVE-2022-42889, you should update the application to use the latest version of Apache Common.
Remediation:
- Upgrade Apache Commons Library to a latest version (1.10.0) if possible.
- If an upgrade is impossible, configure the StringSubstitutor with a safe StringLookup configuration.
If text4shell cannot be upgraded, the StringSubstitutor can be initialized with a safe StringLookup configuration.
By default, the DefaultStringLookup.DNS, DefaultStringLookup.URL, and DefaultStringLookup.SCRIPT properties are added to interpolator behavior. These properties can be used to lookup DNS names, URLs, and scripts. A fix from the Apache team has removed these properties from the default behavior.
The Map<String, StringLookup>lookupMap can map strings to string lookups. The following code snippet shows how to configure the StringSubstitutor with a safe StringLookup configuration:
Map<String, StringLookup> lookupMap = new HashMap<>(); lookupMap.put("foo", new URLStringLookup()); lookupMap.put("bar", new ScriptStringLookup()); StringSubstitutor substiutor = new StringSubstitutor(lookupMap);
Text4Shell vs Log4J:
The main difference between Text4Shell and Log4Shell is that Text4Shell is less likely to become widespread. This is because Log4Shell occurred in a method expected to consume data, which is expected to be trustworthy. Text4Shell exists in a method intended for string interpolation; thus, developers are more likely to write their safeguards when consuming the data. To be affected by Text4Shell, the following conditions must be met:
- The application must be using the Apache Commons text library.
- The application must pass user-controlled input to the StringSubstitutor class.
- The application must not be properly validating or sanitizing that input. If these conditions are met, an attacker could execute arbitrary code on the affected system.
How to Exploit the text4Shell Vulnerability:
The text4Shell vulnerability can be exploited by sending a specially crafted request to a vulnerable endpoint. The request parameter, requestInput, is passed to the StringSubstitutor class, which is vulnerable to the exploit. By using the following payload, the attacker can execute arbitrary commands on the server:
http://localhost:8080/vulnerable?requestInput=${script:javascript:java.lang.Runtime.getRuntime().exec('cat /etc/shadow')}
The StringSubstitutor.replace() method replaces placeholder values in the input string with corresponding values from a map. This method is vulnerable to command injection, which allows an attacker to execute arbitrary commands on the server.
To avoid this vulnerability, it is recommended to use a different library for string substitution or to sanitize the input string before passing it to the StringSubstitutor class.
While this vulnerability is severe, it’s important to remember that not all systems are at risk. If you’re running a version of Java released after September 2017, you should be safe from any potential exploits. If you’re still worried or want to ensure your system is fully protected, we recommend reaching out to ioSENTRIX for help. We’ll keep you updated on any new information related to CVE-2022-42889 as it becomes available.
Never miss a story from us, subscribe to our newsletter