A critical flaw patched in the Apache Commons Text library has sparked comparisons with the ‘Log4Shell’ bug that surfaced in the near-ubiquitous open source component Log4j last year.
However, the researcher who found and reported the Commons Text flaw in March has downplayed its comparative impact, while acknowledging a resemblance to the ‘Log4Shell’ vulnerability that is widely recognized as one of the most severe flaws of all time.
“The vulnerability is indeed very similar,” GitHub Security Lab principal researcher Alvaro Muñoz told Daily Swig.
“The Apache Commons Text code appears to be based on the Log4j code, as both of them enable interpolation of multiple Lookup sources. Log4j enabled JNDI lookups [while] Apache Commons Text and Apache Commons Configuration allows script lookups – both could lead to RCE. The impact is, therefore, very high.
“However, it is worth keeping in mind that an issue’s severity is calculated based on both the impact and the likelihood, and for the Apache Commons Text, the likelihood of untrusted data flowing to ACT’s sink is much lower.”
Apache Commons Text performs text operations such as escaping, calculating string differences, and substituting placeholders in text with values looked up through interpolators. Fellow open source library Log4j is a Java-based logging utility.
Tracked as CVE-2022-42889, the Commons Text bug emerged on October 13 with an Apache Software Foundation (ASF) security advisory.
The vulnerability centers on an insecure implementation of the library’s variable interpolation functionality, namely that certain default lookup strings could potentially accept untrusted input from remote attackers, such as DNS requests, URLs, or inline scripts.
A technical analysis published yesterday by Rapid7 also attempted to tamp down hype over the bug, whose CVSS score of 9.8 is nevertheless close to Log4Shell’s perfect 10 on the severity front.
The vulnerable “StringSubstitutor interpolator is considerably less widely used than the vulnerable string substitution in Log4j and the nature of such an interpolator means that getting crafted input to the vulnerable object is less likely than merely interacting with such a crafted string as in Log4Shell,” said Rapid7.
Arnout Engelen, security response program manager at the ASF, echoed these sentiments, telling Daily Swig: “In Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input. In the Apache Common Text issue, the relevant method is explicitly intended and clearly documented to perform string interpolation, so it is much less likely that applications would inadvertently pass in untrusted input without proper validation.”
The flaw affects Apache Commons Text versions 1.5 through 1.9, and all JDK versions, and has been patched in version 1.10.
Engelen said: “When using the string substitution feature, some of the available interpolators can trigger network access or code execution. This is intended, but it also means an application that includes user input in the string passed to the substitution without properly sanitizing it would allow an attacker to trigger those interpolators.
“For that reason the Apache Commons Text team have decided to update the configuration to be more ‘secure by default’, so that the impact of a failure to validate inputs is mitigated and will not give an attacker access to these interpolators.
“However, it is still recommended that users treat untrusted input with care. We’re not currently aware of any applications that pass untrusted input to the substitutor and thus would have been impacted by this problem prior to Apache Commons Text 1.10.0.”
Rapid7 recommends that developers and maintainers watch out for follow-on vendor advisories, install “patches as they become available, and prioritize anywhere the vendor indicates that their implementation may be remotely exploitable”.
Russia ‘having to re-use outdated missiles from the 80s with nuclear warheads removed’
Dauda Biu decries killing of 2 officers
It’s Wrong Of You To Frolic With Politicians – Atiku’s Aide Tells CJN
FIFA World Cup 2022: Duke’s first half header helps Australia to victory against Tunisia
Ugwuanyi visits community affected by farmers-herders clash in Enugu
Action Alliance disowns litigants against Bola Tinubu
FHC fines PRP presidential candidate for late filing of documents
Portable releases new album, ‘Ika of Africa’
Rising sensation LB releases new single, ‘Matter’
Dozzybeat features Byno for ‘Angelina’
Dr. Dolor’s album, “What A Time To Bee Alive,” includes Oxlade, BNXN, Seun Kuti, and Blaqbonez
[STORY] The SIXTEENTH (Final Episode 07)
[STORY] The SIXTEENTH (Episode 06)
Oyetola signs N138bn budget into law in Osun
[STORY] TIMISIRE THE GOLDEN GIRL (Episode 19)
[STORY] TIMISIRE THE GOLDEN GIRL (Episode 18)
[STORY] TIMISIRE THE GOLDEN GIRL (Episode 17)
Dankwambo Dumps Wike’s Camp, Donates 20 Buses To Atiku’s Campaign
APC mega rally: Jandor berates Sanwo-Olu for closing down Lagos markets
How to recover ‘deleted text messages’ on iPhone
Sasha Attwood, Georgia Irwin and Paige Milian cheer on England boys in World Cup
Gareth Southgate explains why he didn’t bring on Phil Foden during USA World Cup draw
Mason Mount wasn’t subbed off during England’s World Cup draw with USA – Rob Green
Gareth Southgate responds to fans booing England
Your daily horoscope for Saturday, November 26, 2022
Maybe Qatar Is Low Budget England FC
World Cup Result: USA bundled England To Secure a Tough Draw
Elon Musk to provide ‘amnesty’ to some suspended accounts
Twitter fails to remove racist tweets targeted at World Cup stars
FRSC is not recruiting, stop patronizing scammers – Spokesman
Buhari doesn’t ‘use and dump’ – Ibrahim Gambari
FRSC decries carrying fuel in gallons on journeys
South East has rejected Tinubu – Bwala
Guber candidate says It’s time for APC to takeover Benue
INEC releases guidelines for political campaigns, party expenses
FIFA World Cup 2022: Qatar on verge of World Cup elimination after defeat to Senegal
Mercy Eke predicts Peter Obi’s victory in 2023 elections
BBNaija’s Pere shares his dream of becoming an evangelist
Sammie Okposo passes away at 51
Ayra Starr responds to criticism on her skimpy outfit
DOWNLOAD Complete Black Adam (2022 film) Subtitles File [English SRT] 2022
No Beer No Problem! Ecuador Destroys Qatar in World Cup Opening Game [WATCH HIGHLIGHT]
Brazil chooses “unusual” starting lineup for the World Cup opener against Serbia, leaving Fred out
Anthony Martial among three options being considered to replace Karim Benzema in France squad
I’ve made many sacrifices for my music – Dote Urban
World Cup 2022: Poor Qatar Has Absolutely Nothing To Press Against Ecuador
Reno Omokri speaks after “Obi’s Supporters” made him waste $4,000 on Tinubu’s investigation
Saka, Grealish, Rashford Helps England Destroy Iran in Qatar’s World Cup [WATCH HIGHLIGHT]
Blood And Water: All episode titles for season 3
Dj Sumbody shot dead in South Africa
Your weekly tarot horoscope for November 20 to 26
Kizz Daniel Delivers A Spectacular Performance At 2022 FIFA World Cup, Qatar
Cristiano Ronaldo gain 500 million Instagram followers
Why World Cup stadium called ‘Stadium 974’ and why is it made of containers?
World Cup 2022: Saudi Arabia defeats Argentina as they end their 36-game unbeaten run
All Day DevOps: Third of Log4j downloads continue to use insecure versions despite threat of supply chain attacks
WC 2022: Ecuador’s Enner Valencia scores opening goal against host Qatar
John Barnes warns Bukyao Saka may not feature much for England at World Cup in Qatar
Miyetti Allah justifies his backing of Tinubu
Twitter resumed hiring after Elon Musk declared the end of layoffs
Mayorkun and Oxlade collaborate on the new song “Bad Boy”
Avatar 2 is ‘very f**king’ expensive – James Cameron
Kevin De Bruyne discusses their falling out after Belgium’s victory over Canada
Nigeria still maintains COVID-19 travel protocols – FG
“Toyin Abraham Is In The Past, Nobody Should Ask Me about Her Again” – Seun Egbegbe
England must ‘focus on football’ instead of ‘gestures’ to protest OneLove armband ban – Gareth Southgate
Lupita Nyong’o shares training routine for Black Panther
Tompolo donates N150m to help flood victims in Bayelsa, Rivers, Delta
Thousands of World Cup seats remain unfilled despite Qatar’s shady announcement of attendance data
World Cup commentator Sam Matterface says Roy Keane just pretends to be ‘steely’
World Cup Result: 2-Bangs From Richarlison Saves Brazil From Serbia [WATCH VIDEO HIGHLIGHT]
2022 AMAs: 5 cutest couples that graced the red carpet
Nasa’s Artemis spaceship arrives at the moon
Nigerians respond to the newly designed naira notes as Emefiele trends on Twitter
Gareth Bale believes representing Wales at the World Cup is ‘the biggest honour’
YCEE returns with new single, ‘Azul ’22’ feat Costa Titch, Phantom Steeze & Ma Gang Official
I Don’t Read Social Media Anymore, They Abuse The Hell Out Of Me – Tinubu (Video)
David Beckham Is ‘Open To Talks’ Over Manchester United Takeover
Dietmar Hamann blasts Antonio Rudiger after Germany’s World Cup defeat to Japan
Zlatan teams up with Young Jonn, Willis for the new street anthem “Astalavista”
ANE Billboard Hots
Technology5 months ago
VoIP Number: Everything You Need To Know
Music5 months ago
[Music] Akon – Sorry Blame It On Me
Music3 years ago
[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you
Music5 months ago
Alan Walker – Faded [INSTRUMENTAL]
Music5 months ago
[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth
Music5 months ago
[INSTRUMENTAL] John Legend – All Of Me
Music5 months ago
[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me
ANE Stories4 years ago
[STORY] AMAKA THE LESBIAN (Complete Episodes)