Apache Software Foundation published an official security advisory on a critical RCE vulnerability in Apache Commons Text Library on 13th Oct. The flaw dobbed Text4shell is being tracked under the identifier CVE-2022-42889 is a critical remote code execution vulnerability with a severity score of 9.8 out of 10 on the CVSS scale. Since the flaw lets attackers execute arbitrary code on the machine which has the vulnerable versions of Apache Commons Text Library on it, it is important to know how to fix Text4shell, a critical RCE vulnerability in Apache Commons Text library.
Let’s see a short note about the Apache Commons Text library, a summary of the Text4shell, the versions affected, and finally, how to fix Text4shell, a critical RCE vulnerability in Apache Commons Text library in this post.
The Apache Commons Text library is a sting substitution Library that provides a set of helpful utilities when working with text in Java. This includes things like generating random strings, calculating Levenshtein distance between two strings, and providing various String formatting options. Overall, the library is built to boost the string functions in Java in addition to the existing default string functions in Java. It is very easy to use and can be a big help when working with text data in Java applications.
The vulnerability dubbed ‘Text4shell’ or ‘Act4Shell’ is a vulnerability stemmed from the Apache Commons Text Library, an open-source Apache library that is built to provide more string interpolation features like string substitution, lookups, matching and other functions in Java programming.
This vulnerability has been given a score of 9.8 on the CVSS scale and is considered critical in severity. By looking at its severity and its name, ‘Text4shell’, many have started treating this flaw as similar to last year’s Log4Shell vulnerability in the Apache Log4j library. However, due to the less usage of the Apache Commons Text library in comparison with the Apache Log4j library, the exploitability of Text4shell is quite less than Log4shell.
https://twitter.com/GossiTheDog/status/1581973655453433856
The Text4shell vulnerability is due to the dynamic evaluation and execution of variable interpolation of properties by the Apache Commons Text Library. The vulnerability exists in the StringSubstitutor interpolator object created by the StringSubstitutor.createInterpolator() method of the Apache Common Text library. The method allows various types of sting lookups such as “script”, “DNS”, or “URL” to pass in “${prefix:name}” format.
The attacker will abuse the dynamic evaluation and execution of “script”, “DNS”, or “URL” lookups in the StringSubstitutor interpolator object of the Apache Common Text library by crafting and passing malicious stings to the interpolator object, which eventually executes arbitrary codes on the victim
Methods that allow attackers to use the ScriptStringLookup to trigger arbitrary code execution are:
- StringSubstitutor.createInterpolator()
- StringSubstitutor.replace()
- StringSubstitutor.replaceIn()
Source: zscaler
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.-Apache
CVSS Break Up of Text4shell Vulnerability:
Associated CVE ID | CVE-2022-42889 |
Description | A Critical RCE Vulnerability in Apache Commons Text |
Associated ZDI ID | – |
CVSS Score | 9.8 critical |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Impact Score | – |
Exploitability Score | – |
Attack Vector (AV) | Network |
Attack Complexity (AC) | Low |
Privilege Required (PR) | None |
User Interaction (UI) | None |
Scope | Unchanged |
Confidentiality (C) | High |
Integrity (I) | High |
availability (a) | High |
According to the study shared by Wordfence, a well-known security solution for WordPress websites, attackers have started targeting the vulnerability on around 4 million WordPress websites since 18th Oct. The Wordfence Threat Intelligence Team said that DNS lookups are the majority of requests they have seen in their sturdy which are intended to scan for vulnerable installations. Script lookups are the second most prefix they have found being used in their study. Attackers most likely use the Script prefix to execute arbitrary codes on the victim. Compared to DNS and Script lookups, URL lookups are the least requested captures in their study.
IoCs of Text4shell Captured by Wordfence Threat Intelligence Team
List of source IP addresses from where the attacks emerged
103.127.158.166*
207.180.241.85*
159.180.168.60*
159.180.168.61*
206.189.150.65*
13.53.121.211*
165.227.196.68*
46.101.177.159*
37.120.189.196*
161.97.122.174*
52.94.133.128*
72.21.196.64*
66.94.113.40*
199.16.53.138*
3.232.79.59*
66.94.110.66*
52.202.251.117*
207.154.234.251
103.162.75.6
38.242.147.244
20.9.198.105
164.90.174.6
161.97.132.171
159.223.26.207
181.215.176.86
139.59.210.202
194.163.185.138
62.171.165.202
159.89.185.54
144.126.131.64
38.242.242.52
157.230.29.154
209.126.10.16
164.92.136.114
80.152.226.29
66.94.110.65
161.97.74.59
20.112.84.178
13.58.100.198
List of domains from where the attacks emerged.
tress.cf
oast.online
oast.site
oast.live
oast.me
blsops.com
dnslog.cn
acpk.xyz
oast.fun
ligame.xyz
oast.pro
vii.onE
canarytokens.com
The flaw is rated Critical with a CVSS score of 9.8 out of 10 on the scale. It’s been rated Critical due to its ease of exploitability with huge potential impact in terms of confidentiality, integrity, and availability.
However, the likelihood of the Text4shell vulnerability can’t be equivalent to Log4Shell or Spring4Shell. Because of two reasons:
The use of the Apache Commons Text library is not prevalent as the Apache Log4j library.
Implementation of StringSubstitutor object with some user-controlled input within production environments is not prevalent as the vulnerable string substitution in Apache Log4j library.
To exploit the Text4shell vulnerability, your system should meet the following requirements:
Run a version of Apache Commons Text from version 1.5 to 1.9
Use of the StringSubstitutor interpolator with user-controlled input.
If your system is met with all the requirements required to exploit, the attacker could abuse the flaw to carry out the remote code execution, which further lead to the disclosure of sensitive information, addition or modification of data, Denial of Service (DoS), gain reverse shell access, or in worst case take control of the complete machine.
The flaw affects Apache Commons Text library starting from v1.5 to 1.9. To support this, several security researchers have presented their prof of concept on public forums to denote that the Text4shell vulnerability does exist till v1.9. Organizations who use Apache Commons Text library in their application or project would need to check the version of the Apache Commons Text library they use and fix Text4shell as soon as possible.
Apache Software Foundations has fixed the Text4shell vulnerability in its new release, v1.10.0. In v1.10.0, Apache has disabled the problematic interpolators as the default settings. In the version starting from 1.10.0 Apache has removed the DefaultStringLookup.DNS, DefaultStringLookup.URL, and DefaultStringLookup.SCRIPT ( DNS, script, and URL ) lookups from the StringLookupFactory.createDefaultStringLookups() method. This made the attacker unable to input the untrusted data and made the Apache Commons Text library secure from the Text4shell vulnerability.
We recommend upgrading the Apache Commons Text library to v1.10.0 or greater to fix the Text4shell vulnerability permanently. If you are in a position that doesn’t allow you to upgrade the library, then you should initialize the StringSubstitutor with safe StringLookup configurations. Even in the case that your project does require these lookups, you should implement a security sanitization process before passing the untrusted data to the interpolator object.
Important Note: It is not mandatory to conclude the version of Apache Commons Text library is vulnerable even if you are using less than 1.10.0. If the if this software uses the StringSubstitutor API without properly sanitizing any untrusted input, irrespective of the version, the flaw could be exploitable even in the case of 1.10.0. or higher.
Note that you will never get a binary patch from Apache. If you have to work with source code, you should follow the build instructions for the component version listed below that you are currently using.
If you need help building this component or other support in following these security mitigation instructions for known vulnerabilities, please reach out to the public user mailing list.
The flaw stems from the dynamic evaluation and execution of “script”, “DNS”, or “URL” lookups in the StringSubstitutor interpolator object of the Apache Common Text library. Fixing this vulnerability requires an upgrade to the latest version 1.10.0. We hope this post would help you know know how to fix Text4shell, a critical RCE vulnerability in Apache Commons Text library. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.