Connect with us
X
Categories:

Technology

Apache Commons Text RCE: Similar to Log4Shell, but with “far reduced” exposure risk

Published

on

Apache Commons Text RCE: Similar to Log4Shell, but with "far reduced" exposure risk
Share this post:

A critical flaw patched in the Apache Commons Text library has sparked comparisons with the ‘Log4Shell’ bug that surfaced in the near-ubiquitous open source component Log4j last year.

However, the researcher who found and reported the Commons Text flaw in March has downplayed its comparative impact, while acknowledging a resemblance to the ‘Log4Shell’ vulnerability that is widely recognized as one of the most severe flaws of all time.

Lookup link

“The vulnerability is indeed very similar,” GitHub Security Lab principal researcher Alvaro Muñoz told Daily Swig.

“The Apache Commons Text code appears to be based on the Log4j code, as both of them enable interpolation of multiple Lookup sources. Log4j enabled JNDI lookups [while] Apache Commons Text and Apache Commons Configuration allows script lookups – both could lead to RCE. The impact is, therefore, very high.

“However, it is worth keeping in mind that an issue’s severity is calculated based on both the impact and the likelihood, and for the Apache Commons Text, the likelihood of untrusted data flowing to ACT’s sink is much lower.”

Apache Commons Text performs text operations such as escaping, calculating string differences, and substituting placeholders in text with values looked up through interpolators. Fellow open source library Log4j is a Java-based logging utility.

Tracked as CVE-2022-42889, the Commons Text bug emerged on October 13 with an Apache Software Foundation (ASF) security advisory.

The vulnerability centers on an insecure implementation of the library’s variable interpolation functionality, namely that certain default lookup strings could potentially accept untrusted input from remote attackers, such as DNS requests, URLs, or inline scripts.

‘Clearly documented’

A technical analysis published yesterday by Rapid7 also attempted to tamp down hype over the bug, whose CVSS score of 9.8 is nevertheless close to Log4Shell’s perfect 10 on the severity front.

The vulnerable “StringSubstitutor interpolator is considerably less widely used than the vulnerable string substitution in Log4j and the nature of such an interpolator means that getting crafted input to the vulnerable object is less likely than merely interacting with such a crafted string as in Log4Shell,” said Rapid7.

Arnout Engelen, security response program manager at the ASF, echoed these sentiments, telling Daily Swig: “In Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input. In the Apache Common Text issue, the relevant method is explicitly intended and clearly documented to perform string interpolation, so it is much less likely that applications would inadvertently pass in untrusted input without proper validation.”

Remediation

The flaw affects Apache Commons Text versions 1.5 through 1.9, and all JDK versions, and has been patched in version 1.10.

Engelen said: “When using the string substitution feature, some of the available interpolators can trigger network access or code execution. This is intended, but it also means an application that includes user input in the string passed to the substitution without properly sanitizing it would allow an attacker to trigger those interpolators.

“For that reason the Apache Commons Text team have decided to update the configuration to be more ‘secure by default’, so that the impact of a failure to validate inputs is mitigated and will not give an attacker access to these interpolators.

“However, it is still recommended that users treat untrusted input with care. We’re not currently aware of any applications that pass untrusted input to the substitutor and thus would have been impacted by this problem prior to Apache Commons Text 1.10.0.”

Rapid7 recommends that developers and maintainers watch out for follow-on vendor advisories, install “patches as they become available, and prioritize anywhere the vendor indicates that their implementation may be remotely exploitable”.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Expanding Living Space
Lifestyle3 weeks ago

Expanding Living Space: Prefabricated Workshop Building Kits for Extra Rooms

BeBe Winans
Lyrics1 month ago

BeBe Winans – It All Comes Down to Love [Lyrics]

BeBe Winans
Music1 month ago

[Music] BeBe Winans – It All Comes Down to Love

The Countdown Begins to the Tournament That Has It All
ANE Football Analytical2 months ago

AFCON 2023: A Sporting Spectacle Set to Captivate the World

Litecoin: What Makes It The Crypto Winner?
Technology3 months ago

Runny Inflation Can Drive Cryptocurrency Adoption

Black and White French Bulldog puppies Frenchie Joy
Lifestyle3 months ago

Black and White French Bulldog puppies Frenchie Joy

3 Serious Reasons to Keep Your Teenager Away From Social Media
Lifestyle3 months ago

3 Serious Reasons to Keep Your Teenager Away From Social Media

Boxing vs MMA What Makes Them So Different
Sports4 months ago

Boxing vs MMA: What Makes Them So Different

Roisea: Most Advanced Crypto Trading Platform for Bitcoin
Technology4 months ago

NFTs and Intellectual Property Rights: Shaping Creative Ownership

The Birth of a Rugby Nation South Africas Love Affair with the Sport
Sports8 months ago

The Birth of a Rugby Nation: South Africa’s Love Affair with the Sport

A Beginner's Guide to Radicle (RAD): The Future of Peer-to-Peer Development
Technology9 months ago

A Beginner’s Guide to Radicle (RAD): The Future of Peer-to-Peer Development

Analysis of Nigeria's Renewable Energy Sector: Opportunities and Challenges
Technology10 months ago

Analysis of Nigeria’s Renewable Energy Sector: Opportunities and Challenges

Casino Gaming Poker
Sports10 months ago

What Are The Various Types Of Online Slots?

Luka Modric celebrates after scoring Real Madrid's second goal against Celta Vigo.
Sports11 months ago

Luka Modric set to join Ronaldo in Saudi Arabia’s Al Nassr

WHO World Health Organization
Health11 months ago

WHO debunks claims that tuberculosis is caused by witchcraft, poison

Atiku Abubakar
News11 months ago

2023 Election: Why DSS must arrest Fani-Kayode – Atiku

PDP Logo Umbrella
News11 months ago

PDP suspends National Chairman

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories11 months ago

[STORY] THE PASTOR’S DAUGHTER (Final Episode 13)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 12)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 11)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 10)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 09)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 08)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 07)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 06)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 05)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 04)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 03)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 02)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 01)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Complete Episodes)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 16)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 15)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 14)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 13)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 12)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 11)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 10)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 09)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 08)

ANE Billboard Hots