Apache Foundation software again under scrutiny
Although currently scored as 9.8/10.0, the latest CVE-2022-42889 appears to be not so far reaching as the infamous CVE-2021-44228, known as Log4Shell. This time, CVE-2022-42889 affects the Apache Commons Text library. Part of the Apache Commons project which focuses on all aspects of reusable Java components, the Text component performs variable interpolation, allowing properties to be dynamically evaluated and expanded within strings.
More details on the vulnerability here. The library contains some interpolation features that could allow attackers to pass and execute arbitrary code. Fortunately, this time organizations are more lucky than with Log4j library: that one did not require any specific code to execute the exploit, meaning attackers could immediately launch scalable attacks with very generic code against all network and internet connected servers using this library.
In the current case, the attacker would have to research each individual application using the Text library and also find one that will pass unsanitized user provided values. That requires more time and effort and hence the conclusion: it's not so serious.
That being said, Proof-of-Concept exploits are already out there, as it's quite easy to reproduce the conditions triggering the vulnerability.
Furthermore, the Apache Commons libraries are so widely used across a range of Java applications, it means organizations will find many versions of the vulnerable library on individual servers and even client machines. This means a more serious scan and search effort is required to identify all the vulnerable instances lurking within an organization.
The latest vulnerability is just one in a series affecting Apache Foundation software: besides Log4Shell, in July 2022 another Apache Commons component called Configurator, which simplifies managing application configuration properties, turned out to have similar string interpolation dangers.
The Apache Foundation open source software components are so widely used that any future vulnerability discovered is bound to have far reaching consequences.
