WordPress safety firm Wordfence on Thursday mentioned it began detecting exploitation makes an attempt focusing on the newly disclosed flaw in Apache Commons Textual content on October 18, 2022.
The vulnerability, tracked as CVE-2022-42889 aka Text4Shell, has been assigned a severity rating of 9.8 out of a doable 10.0 on the CVSS scale and impacts variations 1.5 by 1.9 of the library.
It is also much like the now notorious Log4Shell vulnerability in that the challenge is rooted within the method string substitutions carried out throughout DNS, script, and URL lookups may result in the execution of arbitrary code on inclined techniques when passing untrusted enter.
A profitable exploitation of the flaw can allow a risk actor to open a reverse shell reference to the susceptible utility merely through a specifically crafted payload, successfully opening the door for follow-on assaults.
Whereas the challenge was initially reported in early March 2022, the Apache Software program Basis (ASF) launched an up to date model of the software program (1.10.0) on September 24, adopted by issuing an advisory solely final week on October 13.
“Happily, not all customers of this library can be affected by this vulnerability – not like Log4J within the Log4Shell vulnerability, which was susceptible even in its most elementary use-cases,” Checkmarx researcher Yaniv Nizry mentioned.
“Apache Commons Textual content should be utilized in a sure technique to expose the assault floor and make the vulnerability exploitable.”
Wordfence additionally reiterated that the probability of profitable exploitation is considerably restricted in scope when in comparison with Log4j, with a lot of the payloads noticed up to now designed to scan for susceptible installations.
“A profitable try would consequence within the sufferer website making a DNS question to the attacker-controlled listener area,” Wordfence researcher Ram Gall mentioned, including requests with script and URL prefixes have been comparatively decrease in quantity.
If something, the event is one more indication of the potential safety dangers posed by third-party open supply dependencies, necessitating that organizations routinely assess their assault floor and arrange acceptable patch administration methods.
Customers who’ve direct dependencies on Apache Commons Textual content are really useful to improve to the mounted model to mitigate potential threats. In line with Maven Repository, as many as 2,593 tasks use the Apache Commons Textual content library.
The Apache Commons Textual content flaw additionally follows one other essential safety weak point that was disclosed in Apache Commons Configuration in July 2022 (CVE-2022-33980, CVSS rating: 9.8), which may consequence in arbitrary code execution by the variable interpolation performance.
