Vulnérabilité Text4Shell - Web - Octobre 2022

a critical flaw in Apache Commons Text!

For the past few days, a new vulnerability in the Apache Commons Text library and nicknamed Text4Shell has been making a lot of noise! And, it is reminiscent of a security flaw that made a lot of noise last year: Log4Shell.

This new alert was issued on October 18, 2022 by Wordfence, a company specializing in the protection of WordPress sites, after detecting numerous attempted attacks who were trying toexploit the CVE-2022-42889 security flaw. This vulnerability is located in Apache Commons Text and it inherits froma CVSSv3 score of 9.8 out of 10 !

First of all, what is Apache Commons Text? Not to be confused with Apache2 web server (phew, I see some who are already relieved), This is’an open source Java library that is used by developers to manipulate strings (encoding, for example). As a result, perhaps you are not using it directly, but an application you are using relies on this library, somewhat in the same spirit as with the Log4Shell vulnerability, which makes you vulnerable.

The security flaw”Text4Shell” affects all versions of Apache Commons Text from version 1.5 to version 1.9. To be protected, use the latest available version: Apache Commons Text 1.10.0. The Apache Software Foundation has been aware of this vulnerability since March 2022 and it was patched on September 24, 2022.

What are the risks ? Should we be worried?

By exploiting this security flaw, an attacker can successfully open a reverse shell within a vulnerable application, using a specially crafted payload for the attack. The hacker can also execute code remotely on the vulnerable server.

The good news with Text4Shell, compared to Log4Shell, is that not everyone is vulnerable since it depends on the use made of the library. We can say that the situation is not so critical. Yaniv Nizry, security researcher at Checkmarx clarifies : “Fortunately, not all users of this library would be affected by this vulnerability – unlike Log4j in the Log4Shell vulnerability, which was vulnerable even in its most basic use cases.“.

Several thousand projects use this library, as can be seen by doing a search on the Maven Repository site. We can cite the CAS server from Apereo, for example. The safest thing is to install the most recent version to protect yourself. Do not hesitate to check if there is a new update available for your applications.



#critical #flaw #Apache #Commons #Text

Leave a Comment

Your email address will not be published. Required fields are marked *