A brand new vulnerability within the Apache Commons Textual content, AKA Text4Shell, permits an attacker to execute arbitrary code on the host machine. Initially reported by Alvaro Munoz, principal safety researcher at GitHub, CVE-2022-42889, is just like Spring4Shell and Log4Shell, permitting distant code execution (RCE).
The CVSSv3 system scores the vulnerability at 9.8 with crucial severity as it’s simply exploitable, and the affect of gaining access to the underlying host might probably have an effect on the reliability and availability of the system. Nevertheless, it won’t have the identical broad affect as Log4Shell, for instance, for the reason that vulnerability exists within the StringSubstitutor class, which isn’t a standard technique however restricted to a selected use case.
Apache Commons Textual content is a generally used Java library that gives further algorithms for String manipulation to builders.
Because the title suggests, the StringSubstitutor class replaces and substitutes values inside a given String worth. Contemplate the next instance:
StringSubstitutor
.replaceSystemProperties("You might be working with java.model = ${java.model} and os.title = ${os.title}.");
The above code accommodates the ${java.model} and ${os.title} that will likely be changed by the Java system property. StringSubstitutor makes use of interpolation, permitting a number of expressions to substitute Strings. An attacker can use the default Interpolator to execute distant code, for instance, utilizing the StringSubstitutor.createInterpolator(). technique.
Extra particularly, an attacker could have the chance to inject malicious code throughout lookups like substitute() or replaceIn() . It’s because “dns”, “script” and “url” lookup keys are interpolated by default relatively than conforming to the documentation for the StringLookupFactory class.
Within the following instance, an attacker might simply entry the underlying shell by offering “script” and executing arbitrary code on the host machine.
remaining StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
String out = interpolator.substitute("${script:javascript:java.lang.Runtime.getRuntime().exec('contact /tmp/CVE-2022-42889')}");
System.out.println(out);
The payload consists with ${prefix:title}, making certain a StringLookup and thereby executing code remotely on the host shell.
To keep away from being affected by CVE-2022-42889, builders ought to improve to Apache Commons Textual content 1.10 or later. Builders can even use a particular guidelines, as proven under, to make sure that they don’t have an earlier model than 1.10.
- Test supply code for the
StringSubstitutorclass and default interpolation technique,StringSubstitutor.createInterpolator(). - Make sure that the dependency isn’t included in a Maven or Gradle construct and packaging system.
- Make sure that deployment machines and containers shouldn’t have this dependency JAR within the classpath.
- Test container pictures. Often, this may be achieved by way of working container scans.
- Test automated builds. Usually, there are exterior methods constructing and sanity-checking developer code. Make sure that the binary doesn’t exist within the construct system itself and that the output doesn’t embrace it.
