Các bài viết liên quan:
Security company WordPress Wordfence on Thursday said it began detecting exploit attempts against a newly disclosed vulnerability in Apache Commons Text on October 18, 2022.
The vulnerability, tracked as CVE-2022-42889 aka Text4Shell, has been given a severity rating of 9.8 out of 10.0 possible on the CVSS scale and affects versions 1.5 to 1.9 of the library.
It is similar to today’s well-known Log4Shell vulnerability in that the problem stems from the way string substitutions are performed during DNS, script and URL lookups that can lead to arbitrary code execution on other sites. The system is sensitive to unreliable input transfers.
Successful exploitation of this vulnerability could allow an attacker to open connection as opposed to a simple vulnerable application through a specially crafted payload, effectively opening the door to further attacks.
Although the problem was initially reported in early March 2022, the Apache Software Foundation (ASF) released an updated version of the software (1.10.0) on September 24, then issued advice only last week on October 13.
“Fortunately, not all users of this library are affected by this vulnerability – unlike Log4J in the Log4Shell vulnerability, this vulnerability is vulnerable even in basic use cases. best,” said Checkmarx researcher Yaniv Nizry.
“Apache Commons Text must be used in a certain way to expose an attack and make the vulnerability open to exploitation.”
Wordfence also reiterates that the likelihood of successful exploits is significantly limited in scope compared to Log4j, with most of the payloads observed to date designed to scan vulnerable installations.
“A successful attempt would result in the victim site making a DNS query to an attacker-controlled listening domain,” said Wordfence researcher Ram Gall.
If anything, this development is yet another indication of the potential security risks posed by third-party open source dependencies, requiring organizations to regularly assess the attack surface. their own and establish appropriate patch management strategies.
Users who directly depend on Apache Commons Text are recommended to upgrade to the fixed version to mitigate potential threats. According to the Maven Repository, there are 2,593 projects using the Apache Commons Text library.
The Apache Commons Text vulnerability also follows another critical security vulnerability that was disclosed in Apache Commons Configuration in July 2022 (CVE-2022-33980, CVSS score: 9.8), which could lead to implementation execute arbitrary code through variable interpolation function.
