Today we’re talking about CVE-2022-42889 aka Text4Shell. We’ll walk you through what it is, what you need to know and do to protect your applications, and dive into how Bionic is helping customers understand their overall risk related to this vulnerability.
What is Text4Shell?
Text4Shell is a vulnerability within the widely used Apache Commons Text library, which is a Java library that is focused on algorithms working on strings. It was discovered by GitHub Security Lab researcher Alvaro Muñoz.
This CVE has a 9.8 severity level rating, which translates to “critical.” Versions 1.5 through 1.9 of the library are affected by this vulnerability.
What you need to know about Text4Shell:
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation.
Munoz stated that “the StringSubstitutor default interpolators may lead to unsafe script evaluation and arbitrary code execution.” Essentially, it can execute code remotely because some default lookups may accept untrusted or malicious input.
What should security teams do?
Scan for the presence of the vulnerability in your code that poses risk to your business. It’s important to remember that even if you find this vulnerability, it doesn’t mean that it is currently being used for exploitation. However, if an affected version of the library is loaded in runtime or production, there is a risk of exploitation.
With that said, it’s important to use a security tool that can scan all of your code in production to search for its presence.
If you find any affected versions of the library, upgrade/patch Apache Commons Text version 1.10.0. This version disables the interpolators by default.
Detecting CVE-2022-42889 with Bionic
Here is a quick walkthrough of Bionic locating this CVE in your application architecture and adding context on prioritizing the risk associated with it.
From the main Bionic dashboard, go to the Query page.
Enter the following in the Query generator.
in:services and libraries:(name:"*commons-text*" and (version:"1.5*" or version:"1.6*" or version:"1.7*" or version:"1.8*" or version:"1.9*"))Then, press Run Query.
Bionic will look for any services that have a library with a name containing “commons-text”, using versions 1.5 – 1.9. If Bionic finds any of these library versions, it will return that information on the screen.
Here’s an example:
Click on a service. In the example below, we’ve clicked on the first result, labeled “example-service-domain.” Bionic will display the Service Inventory page. From there, go to the Libraries tab and enter “commons-text” in the search bar, which will show that version 1.9 of this library is loaded in the service.
Even if you find a vulnerable version of this library in your application ecosystem, it doesn’t mean that you’ve been exploited. Simply, upgrade to the latest version as needed and remain calm.
Conclusion
Bionic helps organizations understand their overall risk related to a CVE. In certain cases, even if an organization has this CVE in its code, it doesn’t mean it creates risk. Bionic contextualizes threats in terms of their business impact and exploitability.
To learn more about our contextual, risk-driven approach to security, read our eBook about Application Security Posture Management today.