Connect with us
X
Categories:

Technology

Apache Commons Text RCE: Similar to Log4Shell, but with “far reduced” exposure risk

Published

on

Apache Commons Text RCE: Similar to Log4Shell, but with "far reduced" exposure risk
Share this post:

A critical flaw patched in the Apache Commons Text library has sparked comparisons with the ‘Log4Shell’ bug that surfaced in the near-ubiquitous open source component Log4j last year.

However, the researcher who found and reported the Commons Text flaw in March has downplayed its comparative impact, while acknowledging a resemblance to the ‘Log4Shell’ vulnerability that is widely recognized as one of the most severe flaws of all time.

Lookup link

“The vulnerability is indeed very similar,” GitHub Security Lab principal researcher Alvaro Muñoz told Daily Swig.

“The Apache Commons Text code appears to be based on the Log4j code, as both of them enable interpolation of multiple Lookup sources. Log4j enabled JNDI lookups [while] Apache Commons Text and Apache Commons Configuration allows script lookups – both could lead to RCE. The impact is, therefore, very high.

“However, it is worth keeping in mind that an issue’s severity is calculated based on both the impact and the likelihood, and for the Apache Commons Text, the likelihood of untrusted data flowing to ACT’s sink is much lower.”

Apache Commons Text performs text operations such as escaping, calculating string differences, and substituting placeholders in text with values looked up through interpolators. Fellow open source library Log4j is a Java-based logging utility.

Tracked as CVE-2022-42889, the Commons Text bug emerged on October 13 with an Apache Software Foundation (ASF) security advisory.

The vulnerability centers on an insecure implementation of the library’s variable interpolation functionality, namely that certain default lookup strings could potentially accept untrusted input from remote attackers, such as DNS requests, URLs, or inline scripts.

‘Clearly documented’

A technical analysis published yesterday by Rapid7 also attempted to tamp down hype over the bug, whose CVSS score of 9.8 is nevertheless close to Log4Shell’s perfect 10 on the severity front.

The vulnerable “StringSubstitutor interpolator is considerably less widely used than the vulnerable string substitution in Log4j and the nature of such an interpolator means that getting crafted input to the vulnerable object is less likely than merely interacting with such a crafted string as in Log4Shell,” said Rapid7.

Arnout Engelen, security response program manager at the ASF, echoed these sentiments, telling Daily Swig: “In Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input. In the Apache Common Text issue, the relevant method is explicitly intended and clearly documented to perform string interpolation, so it is much less likely that applications would inadvertently pass in untrusted input without proper validation.”

Remediation

The flaw affects Apache Commons Text versions 1.5 through 1.9, and all JDK versions, and has been patched in version 1.10.

Engelen said: “When using the string substitution feature, some of the available interpolators can trigger network access or code execution. This is intended, but it also means an application that includes user input in the string passed to the substitution without properly sanitizing it would allow an attacker to trigger those interpolators.

“For that reason the Apache Commons Text team have decided to update the configuration to be more ‘secure by default’, so that the impact of a failure to validate inputs is mitigated and will not give an attacker access to these interpolators.

“However, it is still recommended that users treat untrusted input with care. We’re not currently aware of any applications that pass untrusted input to the substitutor and thus would have been impacted by this problem prior to Apache Commons Text 1.10.0.”

Rapid7 recommends that developers and maintainers watch out for follow-on vendor advisories, install “patches as they become available, and prioritize anywhere the vendor indicates that their implementation may be remotely exploitable”.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Chief Oyerigha Echo Toikumoh - The Earlier The Better
Music1 month ago

[Music] Chief Oyerigha Echo Toikumoh – The Earlier The Better

Enzo Maresca and Mikel Arteta stated they will not take Pep Guardiola's place at Manchester City
Sports1 month ago

Enzo Maresca and Mikel Arteta stated they will not take Pep Guardiola’s place at Manchester City

Alan Shearer reckons Liverpool star is ‘not going to get better’
Sports1 month ago

Alan Shearer reckons Liverpool star is ‘not going to get better’

NECO examiners threaten nationwide protest over unpaid entitlements
News1 month ago

NECO examiners threaten nationwide protest over unpaid entitlements

Jonathan congratulates Trump on historic election win
News1 month ago

Jonathan congratulates Trump on historic election win

Peter Obi can become president in 2027 — Yunusa Tanko
News1 month ago

Peter Obi can become president in 2027 — Yunusa Tanko

Dua Lipa forced to cancel show after ‘unforeseen safety issues’
Entertainment1 month ago

Dua Lipa forced to cancel show after ‘unforeseen safety issues’

Uzoamaka Onuoha wins Best Female Performance in a feature at AFRIFF 2024
Entertainment1 month ago

Uzoamaka Onuoha wins Best Female Performance in a feature at AFRIFF 2024

'Phoenix Fury' bags Best Film award at the 13th edition of AFRIFF
Entertainment1 month ago

‘Phoenix Fury’ bags Best Film award at the 13th edition of AFRIFF

Vivo begins teasing new Dimensity 9400 flagships internationally
Technology1 month ago

Vivo begins teasing new Dimensity 9400 flagships internationally

Google Pixel 11 and Pixel 11 Pro may trade performance gains for longer battery life
Technology1 month ago

Google Pixel 11 and Pixel 11 Pro may trade performance gains for longer battery life

Manchester United players warned ‘only one is safe’ under Ruben Amorim
Sports1 month ago

Manchester United players warned ‘only one is safe’ under Ruben Amorim

Austin DeAnda given impromptu makeover after he is forced to have haircut in the middle of fight
Sports1 month ago

Austin DeAnda given impromptu makeover after he is forced to have haircut in the middle of fight

IG orders punishment for errant cops
News1 month ago

IG orders punishment for errant cops

Be ready to recover stolen mandate — Ighodalo tells PDP
News1 month ago

Be ready to recover stolen mandate — Ighodalo tells PDP

No part of Ogun will be ceded under my watch — Dapo Abiodun
News1 month ago

No part of Ogun will be ceded under my watch — Dapo Abiodun

Ruger calls out auto tune and hype culture in music
Entertainment1 month ago

Ruger calls out auto tune and hype culture in music

I hate to play same role repeatedly — Actress Bimbo Akintola
Entertainment1 month ago

I hate to play same role repeatedly — Actress Bimbo Akintola

Fans split on Davido, Wizkid, and Burna Boy's Grammy nominations.
Entertainment1 month ago

Fans split on Davido, Wizkid, and Burna Boy’s Grammy nominations

Samsung Galaxy S25 Slim: Leaker reveals launch details for Samsung's rival iPhone 17 Air
Technology1 month ago

Samsung Galaxy S25 Slim: Leaker reveals launch details for Samsung’s rival iPhone 17 Air

Realme names first smartphone to get Android 15 beta worldwide
Technology1 month ago

Realme names first smartphone to get Android 15 beta worldwide

England interim manager tipped for surprise Premier League job
Sports1 month ago

England interim manager tipped for surprise Premier League job

Hakim Ziyech mocks Israeli supporters attacked in Amsterdam
Sports1 month ago

Hakim Ziyech mocks Israeli supporters attacked in Amsterdam

Court jails seven for internet fraud in Kaduna
News1 month ago

Court jails seven for internet fraud in Kaduna

Edo APC criticizes Obaseki’s last-minute appointments
News1 month ago

Edo APC criticizes Obaseki’s last-minute appointments

Edo PDP announces caretaker committee
News1 month ago

Edo PDP announces caretaker committee

Tems makes history after securing 3 nominations for the 67th Grammys
Entertainment1 month ago

Tems makes history after securing 3 nominations for the 67th Grammys

Beyoncé surpasses Jay-Z to become the most nominated artist in Grammy history
Entertainment1 month ago

Beyoncé surpasses Jay-Z to become the most nominated artist in Grammy history

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations
Entertainment1 month ago

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations
Entertainment1 month ago

2025 GRAMMY: Academy unveils category changes ahead of nomination event

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Final Episode 13)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 12)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 11)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 10)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 09)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 08)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 07)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 06)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 05)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 04)

ANE Billboard Hots



Join "ANE sabi" clique

Don't miss a thing, get ogbonge ANE latest updates to fuel your conversation daily.