What You Need to Know About the Apache Commons Text Flaw (CVE-2022-42889)

Default Author Image
October 20, 2022

Apache Commons Text Flaw (CVE-2022-42889)

Vulnerability researchers and media sources are paying a lot of attention to CVE-2022-42889, a vulnerability affecting the open source library Apache Commons Text, which could potentially allow a malicious actor to execute arbitrary code.

Some have even dubbed it “Text4Shell” or “Act4Shell”—thereby likening it to the infamous Log4Shell vulnerability that caused mayhem for security teams last year and continues to be an important vulnerability to patch. However, at the time of publishing, we see no evidence proving that CVE-2022-42889 is as dangerous, or as far-reaching, as Log4Shell. However, if organizations are using the Apache Commons Text Library, they should triage their systems to ensure they’re not running affected versions. 

Here’s what we know about the Apache Commons Text Flaw (CVE-2022-42889).

How to address CVE-2022-42889

Although CVE-2022-42889 is a library/framework vulnerability, security teams shouldn’t assume that this issue is as far-reaching as Log4Shell. However, we will update this post if our vulnerability intelligence signals otherwise. 

Although a working Proof-of-concept (PoC) does exist, very few of the listed 2,591 projects use the vulnerable method. In addition, exploitation likely relies on specific and targeted code, unlike Log4Shell. Regardless, organizations will want to make sure that their applications using Apache Commons Text aren’t parsing user controlled inputs.

A solution is available, with Apache stating the following:

“…affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.”


Not a “4Shell” vulnerability

The media seems to be fixated on reporting vulnerabilities said to rival or surpass Log4Shell. However, it appears that some researchers have an equal fixation on borrowing the “4Shell” nomenclature. This is a detriment to the industry and to practitioners, since doing so invites sensationalizing, which then results in confusion and panic.

We saw this back in March when “SpringShell” (CVE-2022-22965), or “Spring4Shell” (CVE-2022-22963) were announced, with multiple publications heralding it as the successor to Log4Shell:

Note that those two vulnerabilities are very different, but due to the similarity in naming, many people referred to one term to unknowingly mean both vulnerabilities. This speaks to one of the problems inherent in naming and sensationalizing every big vulnerability that comes along. In terms of attention and hype, Text4Shell is very similar to SpringShell. Its impact on the security industry was heavily overemphasized, and its relative specific nature made it difficult to exploit. Current information suggests that Text4Shell is even more specific.

At this time, the general consensus is that Text4Shell is not the next major vulnerability event:

Prioritize vulnerabilities effectively with Flashpoint

Vulnerabilities with heavy media attention usually get placed at the top of the queue, however, not every headline needs to be prioritized. Resources are scarce and time is short— security teams will need comprehensive vulnerability intelligence if they want proper context of an issue’s risk. With VulnDB, organizations get immediate value for over 300,000 vulnerabilities, with each entry containing known details for all manners of IT, OT, IoT, and third-party libraries and dependencies. Sign up for a free trial today.

Begin your free trial today.