WordPress security company Wordfence announced Thursday that it has begun detecting attempts to exploit the newly disclosed vulnerability. Apache Commons text October 18, 2022.
Vulnerabilities tracked as CVE-2022-42889 alias Text4Shellwhich was assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale, affecting versions 1.5 through 1.9 of the library.
It also resembles the infamous Log4Shell vulnerability. problem rooted in the way string replacement took place during DNS, scripts, and URL lookups Passing untrusted input may lead to arbitrary code execution on a susceptible system.
a Successful Flaw Exploitation An attacker can open a reverse shell connection with a vulnerable application via a specially crafted payload. This effectively opens the door for subsequent attacks.
on the other hand, problem originally report In early March 2022, the Apache Software Foundation (ASF) will updated version After releasing the software (1.10.0) on September 24th, issue a recommendation Only last October 13th.
“Fortunately, not all users of this library are affected by this vulnerability. Unlike Log4J in Log4Shell’s vulnerability, even the most basic use cases were vulnerable,” said a Checkmarx researcher. Yaniv Nizry said. Said.
“Apache Commons Text should be used in specific ways to expose the attack surface and make vulnerabilities exploitable.”
Wordfence also reiterated that the potential for successful exploitation is significantly limited in scope when compared to Log4j. Most of the payloads we’ve seen so far are designed to scan vulnerable installations.
Wordfence researcher Ram Gall said, “If this attempt succeeds, the victim site will perform a DNS query against an attacker-controlled listener domain.” Saidappending requests using scripts and URL prefixes is relatively low volume.
If anything, this development is another sign of the potential security risks posed by reliance on third-party open source, and organizations should regularly assess their attack surface and implement appropriate patch management. You have to set a strategy.
For users directly relying on Apache Commons Text, Recommended Upgrade to a fixed version to mitigate potential threats.according to Maven repository2,593 projects use the Apache Commons Text library.
The Apache Commons Text vulnerability is another critical security vulnerability disclosed in Apache Commons Configuration in July 2022 (CVE-2022-33980CVSS score: 9.8), result Arbitrary code execution with variable interpolation feature.