WordPress safety firm Wordfence on Thursday mentioned it began detecting exploitation makes an attempt focusing on the newly disclosed flaw in Apache Commons Text on October 18, 2022.
The vulnerability, tracked as CVE-2022-42889 aka Text4Shell, has been assigned a severity rating of 9.8 out of a attainable 10.0 on the CVSS scale and impacts variations 1.5 by 1.9 of the library.
It’s additionally just like the now notorious Log4Shell vulnerability in that the concern is rooted within the method string substitutions carried out throughout DNS, script, and URL lookups might result in the execution of arbitrary code on inclined methods when passing untrusted enter.
A profitable exploitation of the flaw can allow a risk actor to open a reverse shell reference to the susceptible utility merely by way of a specifically crafted payload, successfully opening the door for follow-on assaults.
While the concern was initially reported in early March 2022, the Apache Software Foundation (ASF) launched an up to date model of the software program (1.10.0) on September 24, adopted by issuing an advisory solely final week on October 13.
“Fortunately, not all customers of this library could be affected by this vulnerability – in contrast to Log4J within the Log4Shell vulnerability, which was susceptible even in its most elementary use-cases,” Checkmarx researcher Yaniv Nizry mentioned.
“Apache Commons Text have to be utilized in a sure solution to expose the assault floor and make the vulnerability exploitable.”
Wordfence additionally reiterated that the probability of profitable exploitation is considerably restricted in scope when in comparison with Log4j, with many of the payloads noticed to this point designed to scan for susceptible installations.
“A profitable try would consequence within the sufferer website making a DNS question to the attacker-controlled listener area,” Wordfence researcher Ram Gall mentioned, including requests with script and URL prefixes have been comparatively decrease in quantity.
If something, the event is yet one more indication of the potential safety dangers posed by third-party open supply dependencies, necessitating that organizations routinely assess their assault floor and arrange applicable patch administration methods.
Users who’ve direct dependencies on Apache Commons Text are really helpful to improve to the mounted model to mitigate potential threats. According to Maven Repository, as many as 2,593 initiatives use the Apache Commons Text library.
The Apache Commons Text flaw additionally follows one other essential safety weak spot that was disclosed in Apache Commons Configuration in July 2022 (CVE-2022-33980, CVSS rating: 9.8), which might consequence in arbitrary code execution by the variable interpolation performance.