Best of 2022: New text2shell RCE vulnerability in Apache Common Texts CVE-2022-42889

As we close out 2022, we at Security Boulevard wanted to highlight the most popular articles of the year. Following is the latest in our series of the Best of 2022.

Yet another RCE with a CVSS score of 9.8 out of 10 was disclosed a few hours ago. This issue looks like the same Log4shell and it seems even more dangerous since Common Texts are used more broadly.

The Apache Foundation published a vulnerability in the Apache Commons Text project code and published a message to this effect in the project’s mailing list on October 13th, an official date of birth of Text4Shell vulnerability.

This is an SSTI, Server-Side Template Injection issue with a payload that looks really similar to Log4Shell:

${script:javascript:java.lang.Run.Runtime.getRuntime().exec("cat /etc/shadow");}

As you can see, the macros Injection, or a template starts with ${ allows an attackers to inject arbitrary code by calling different Java class methods.

Wallarm Security Team recommends instantly updating the vulnerable library. The priority action is to update Apache Commons Text to version 1.10.0, via the usual package managers or a direct download from https://commons.apache.org/proper/commons-text/download_text.cgi.

All Wallarm API security and WAAP customers already got protection against CVE-2022-42889 while using the product in a blocking mode.

WAF signatures are not effective against CVE-2022-42889 due to many possible obfuscations in template injection syntaxes and using different gadgets and gadgets chains of Java objects by attackers.

References: https://nvd.nist.gov/vuln/detail/CVE-2022-42889#vulnCurrentDescriptionTitle

The post New text2shell RCE vulnerability in Apache Common Texts CVE-2022-42889 appeared first on Wallarm.

*** This is a Security Bloggers Network syndicated blog from Wallarm authored by Ivanwallarm. Read the original post at: https://lab.wallarm.com/new-text2shell-rce-vulnerability-in-apache-common-texts-cve-2022-42889/