Security Advisory: Apache Commons Text Remote Code Execution Vulnerability (CVE-2022-42889)

Background:

On 13th Oct 2022 the Apache Software Foundation released a security advisory mentioning the patch and mitigation details to address a remote code execution vulnerability CVE-2022-42889. Same vulnerability has created too much buzz in the last several hours, especially after PoC showcasing verification of the vulnerability was published. 

Apache Commons Text library contains a set of Java classes that contain algorithms for measuring and manipulating strings. It helps in performing variable interpolation provided by attributes such as "$prefix:name" that can be dynamically evaluated and expanded. The "prefix" is used to find a specific instance of the interpolating org.apache.commons.text.lookup.StringLookup class. As per the advisory this vulnerability exists in Apache Commons Text version 1.5 through 1.9.

This vulnerability, CVE-2022-42889 is popularly referred to as “Text4Shell” or “Act4Shell”.

What is the issue?

The vulnerability exists in the StringSubstitutor interpolator object of Apache Common Text library (org.apache.commons.text). An interpolator is created by the StringSubstitutor.createInterpolator() method and will allow for string lookups as defined in the StringLookupFactory here. 

This can be used by passing a string “${prefix:name}” where the prefix is one of below mentioned lookup strings.

"script" - execute expressions using the JVM script execution engine (javascript.js)

"dns" - performing dns resolution

"url" - call to the entered url including remote servers

The “script”, “dns”, or “url” lookups would allow a crafted string to execute arbitrary scripts when passed to the interpolator object. The attacker can send a crafted payload remotely using “script”, “dns” and “url” lookups to achieve arbitrary remote code execution.

PoC Verification:

The following code snippet demonstrates the proof of concept for the vulnerability in commons-text (v1.9). The proof of concept shows execution of command via crafted payload resulting in creation of a directory called ThreatLabZ in /home directory.

Possible Executions :

• ${script:js:java.lang.Runtime.getRuntime().exec("mkdir /home/ThreatLabZ")}
• ${script:js:java.lang.Runtime.getRuntime().exec("cat /etc/passwd")}
• ${url:URL}
• ${env:PATH}
• ${dns:D_name}

Affected products:

This vulnerability affects the following Apache Commons Versions:

• Apache Commons Text versions 1.5 through 1.9.

Mitigations:

• Apache Commons Text should upgrade to 1.10.0, which disables the problematic interpolators by default.
• We recommend that you install these patches as they become available, and prioritize any where the vendor indicates that their implementation may be remotely exploitable.

Zscaler Coverage:

Zscaler’s ThreatLabZ team has deployed protection.

• Zscaler Private Access AppProtection:
  1. Deserialization Issues: 944130 (Suspicious Java Class Detected)
  2. Remote Code Execution: 932130 (Unix Shell Expression Found)
• Zscaler Advanced Threat Protection:
  1. Apache.Exploit.CVE-2022-42889

As further information comes in or additional protection is put into place, Zscaler will update this publication accordingly.

Resources:

1. https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
2. https://nvd.nist.gov/vuln/detail/CVE-2022-42889
3. https://github.com/SeanWrightSec/CVE-2022-42889-PoC
4. https://github.com/karthikuj/cve-2022-42889-text4shell-docker