How to Fix Text4shell- A Critical RCE Vulnerability in Apache Commons Text

Apache Software Foundation published an official security advisory on a critical RCE vulnerability in Apache Commons Text Library on 13th Oct. The flaw dobbed Text4shell is being tracked under the identifier CVE-2022-42889 is a critical remote code execution vulnerability with a severity score of 9.8 out of 10 on the CVSS scale. Since the flaw lets attackers execute arbitrary code on the machine which has the vulnerable versions of Apache Commons Text Library on it, it is important to know how to fix Text4shell, a critical RCE vulnerability in Apache Commons Text library.

Let’s see a short note about the Apache Commons Text library, a summary of the Text4shell, the versions affected, and finally, how to fix Text4shell, a critical RCE vulnerability  in Apache Commons Text library in this post.

A Short Introduction About Apache Commons Text Library:

The Apache Commons Text library is a sting substitution Library that provides a set of helpful utilities when working with text in Java. This includes things like generating random strings, calculating Levenshtein distance between two strings, and providing various String formatting options. Overall, the library is built to boost the string functions in Java in addition to the existing default string functions in Java. It is very easy to use and can be a big help when working with text data in Java applications.

Summary of Text4shell Vulnerability

The vulnerability dubbed ‘Text4shell’ or ‘Act4Shell’ is a vulnerability stemmed from the Apache Commons Text Library, an open-source Apache library that is built to provide more string interpolation features like string substitution, lookups, matching and other functions in Java programming.

This vulnerability has been given a score of 9.8 on the CVSS scale and is considered critical in severity. By looking at its severity and its name, ‘Text4shell’, many have started treating this flaw as similar to last year’s Log4Shell vulnerability in the Apache Log4j library. However, due to the less usage of the Apache Commons Text library in comparison with the Apache Log4j library, the exploitability of Text4shell is quite less than Log4shell.

https://twitter.com/GossiTheDog/status/1581973655453433856

The Text4shell vulnerability is due to the dynamic evaluation and execution of variable interpolation of properties by the Apache Commons Text Library. The vulnerability exists in the StringSubstitutor interpolator object created by the StringSubstitutor.createInterpolator() method of the Apache Common Text library. The method allows various types of sting lookups such as “script”, “DNS”, or “URL” to pass in “${prefix:name}” format.

The attacker will abuse the dynamic evaluation and execution of “script”, “DNS”, or “URL” lookups in the StringSubstitutor interpolator object of the Apache Common Text library by crafting and passing malicious stings to the interpolator object, which eventually executes arbitrary codes on the victim

Methods that allow attackers to use the ScriptStringLookup to trigger arbitrary code execution are:

- StringSubstitutor.createInterpolator()
- StringSubstitutor.replace()
- StringSubstitutor.replaceIn()

Source: zscaler

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.-Apache

CVSS Break Up of Text4shell Vulnerability:

Wordfence Report on Text4shell Vulnerability

According to the study shared by Wordfence, a well-known security solution for WordPress websites, attackers have started targeting the vulnerability on around 4 million WordPress websites since 18th Oct. The Wordfence Threat Intelligence Team said that DNS lookups are the majority of requests they have seen in their sturdy which are intended to scan for vulnerable installations. Script lookups are the second most prefix they have found being used in their study. Attackers most likely use the Script prefix to execute arbitrary codes on the victim. Compared to DNS and Script lookups, URL lookups are the least requested captures in their study.

IoCs of Text4shell Captured by Wordfence Threat Intelligence Team

List of source IP addresses from where the attacks emerged

103.127.158.166*

207.180.241.85*

159.180.168.60*

159.180.168.61*

206.189.150.65*

13.53.121.211*

165.227.196.68*

46.101.177.159*

37.120.189.196*

161.97.122.174*

52.94.133.128*

72.21.196.64*

66.94.113.40*

199.16.53.138*

3.232.79.59*

66.94.110.66*

52.202.251.117*

207.154.234.251

103.162.75.6

38.242.147.244

20.9.198.105

164.90.174.6

161.97.132.171

159.223.26.207

181.215.176.86

139.59.210.202

194.163.185.138

62.171.165.202

159.89.185.54

144.126.131.64

38.242.242.52

157.230.29.154

209.126.10.16

164.92.136.114

80.152.226.29

66.94.110.65

161.97.74.59

20.112.84.178

13.58.100.198

List of domains from where the attacks emerged.

tress.cf

oast.online

oast.site

oast.live

oast.me

blsops.com

dnslog.cn

acpk.xyz

oast.fun

ligame.xyz

oast.pro

vii.onE

canarytokens.com

The Impact of Text4Shell Vulnerability:

The flaw is rated Critical with a CVSS score of 9.8 out of 10 on the scale. It’s been rated Critical due to its ease of exploitability with huge potential impact in terms of confidentiality, integrity, and availability.

However, the likelihood of the Text4shell vulnerability can’t be equivalent to Log4Shell or Spring4Shell. Because of two reasons:

To exploit the Text4shell vulnerability, your system should meet the following requirements:

If your system is met with all the requirements required to exploit, the attacker could abuse the flaw to carry out the remote code execution, which further lead to the disclosure of sensitive information, addition or modification of data, Denial of Service (DoS), gain reverse shell access, or in worst case take control of the complete machine.

Products Affected by Text4shell Vulnerability

The flaw affects Apache Commons Text library starting from v1.5 to 1.9. To support this, several security researchers have presented their prof of concept on public forums to denote that the Text4shell vulnerability does exist till v1.9. Organizations who use Apache Commons Text library in their application or project would need to check the version of the Apache Commons Text library they use and fix Text4shell as soon as possible.

How To Fix Text4shell- A Critical RCE Vulnerability in Apache Commons Text?

Apache Software Foundations has fixed the Text4shell vulnerability in its new release, v1.10.0. In v1.10.0, Apache has disabled the problematic interpolators as the default settings. In the version starting from 1.10.0 Apache has removed the DefaultStringLookup.DNS, DefaultStringLookup.URL, and DefaultStringLookup.SCRIPT ( DNS, script, and URL ) lookups from the StringLookupFactory.createDefaultStringLookups() method. This made the attacker unable to input the untrusted data and made the Apache Commons Text library secure from the Text4shell vulnerability.

We recommend upgrading the Apache Commons Text library to v1.10.0 or greater to fix the Text4shell vulnerability permanently. If you are in a position that doesn’t allow you to upgrade the library, then you should initialize the StringSubstitutor with safe StringLookup configurations. Even in the case that your project does require these lookups, you should implement a security sanitization process before passing the untrusted data to the interpolator object.

Important Note: It is not mandatory to conclude the version of Apache Commons Text library is vulnerable even if you are using less than 1.10.0. If the if this software uses the StringSubstitutor API without properly sanitizing any untrusted input, irrespective of the version, the flaw could be exploitable even in the case of 1.10.0. or higher. 

Note that you will never get a binary patch from Apache. If you have to work with source code, you should follow the build instructions for the component version listed below that you are currently using.

If you need help building this component or other support in following these security mitigation instructions for known vulnerabilities, please reach out to the public user mailing list.

Wrap Up

The flaw stems from the dynamic evaluation and execution of “script”, “DNS”, or “URL” lookups in the StringSubstitutor interpolator object of the Apache Common Text library. Fixing this vulnerability requires an upgrade to the latest version 1.10.0. We hope this post would help you know know how to fix Text4shell, a critical RCE vulnerability in Apache Commons Text library. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.