Yet another RCE with a CVSS score of 9.8 out of 10 was disclosed a few hours ago. This issue looks like the same Log4shell and it seems even more dangerous since Common Texts are used more broadly.
The Apache Foundation published a vulnerability in the Apache Commons Text project code and published a message to this effect in the project's mailing list on October 13th, an official date of birth of Text4Shell vulnerability.
This is an SSTI, Server-Side Template Injection issue with a payload that looks really similar to Log4Shell:
${script:javascript:java.lang.Run.Runtime.getRuntime().exec("cat /etc/shadow");} As you can see, the macros Injection, or a template starts with ${ allows an attackers to inject arbitrary code by calling different Java class methods.
Wallarm Security Team recommends instantly updating the vulnerable library. The priority action is to update Apache Commons Text to version 1.10.0, via the usual package managers or a direct download from https://commons.apache.org/proper/commons-text/download_text.cgi.
All Wallarm API security and WAAP customers already got protection against CVE-2022-42889 while using the product in a blocking mode.
WAF signatures are not effective against CVE-2022-42889 due to many possible obfuscations in template injection syntaxes and using different gadgets and gadgets chains of Java objects by attackers.
References: https://nvd.nist.gov/vuln/detail/CVE-2022-42889#vulnCurrentDescriptionTitle
The shadow technology problem is getting worse. Over the past few years, organizations have scaled…
API security has been a growing concern for years. However, while it was always seen…
It’s an unusually cold winter morning in Houston, and Craig Riddell is settling into his…
You probably think the security mantra “you can’t protect what you don’t know about” is…
APIs are one of the most important technologies in digital business ecosystems. And yet, the…
API security is becoming more important by the day and skilled practitioners are in high…