...

New vulnerabilities in Apache Commons Text (CVE-2022-42889) – Text2Shell

Content

On Oct. 18/19, 2022, a blog published by GHSL1 researcher Alvaro Muñoz (@pwntester) found vulnerabilities in Apache Commons Text. A bug in the Apache Commons Text library can be used to execute code remotely.

Apache Commons Text is a popular open-source Java library with an “interpolation system” that allows developers to modify, decode and generate character strings based on input strings. The affected products, according to Apache, include at least the following:

New vulnerabilities in Apache Commons Text (CVE-2022-42889) - Text2Shell

Public exploits

Public exploits are available for the described vulnerabilities at the time of writing. NFIR assesses the risk of possible misuse as real.

Recommendation

For developers of applications using Apache Commons Text, the following advice applies:

There is a new version available which can be downloaded from
https://commons.apache.org/proper/commons-text/

NFIR recommends upgrading as soon as possible and then deploying to affected systems and applications. For third-party applications that you use, NFIR recommends that you contact the vendor for any updates.

It is important for your organization to take at least the following steps:

  1. Check publicly available Indicators-of-Compromise (IoCs) on your systems to determine if any systems may have been compromised, or have external preventive research performed on your systems.
  2. Implement the workarounds made available, to limit -where possible- the impact.
  3. Prepare your organization for the situation when patches need to be executed unexpectedly (outside the regular update timeframes) and apply patches in a controlled manner according to the procedure usual for your organization.
  4. Immediately run the available security updates/patches as soon as they are published on the systems and verify that the updates have actually been applied. In case you have an external IT service provider: Have your provider perform these actions and have them confirm the actions and their result to you in writing.

Do you have systems where the risk is high (for example, systems with very sensitive or special personal data)? If so, do you possibly have indications that the system cannot be mitigated and/or updated immediately? Then consider temporarily disabling the system until it can be updated.

If your organization is suspected to have been the victim of an attack, the urgent advice is to have research conducted into the cause, to what extent attackers may have compromised other systems and what information may have been accessed unauthorized.

  1. If possible, disconnect affected systems from the network, but leave them on (because of possible traces such as volatile memory – RAM);
  2. Have the affected systems forensically examined;
  3. Provide adequate backups;
  4. Reset your passwords and user data;
  5. Report to the Police;
  6. Determine whether or not your organization must report to the Data Protection Authority.

Does your organization currently have an incident? Our Computer Emergency Response Teams (CERT) are available to organizations 24/7 to support IT Security Incidents.

Then call 088 133 0700 and we will do our best to help you as soon as possible.

Disclaimer: NFIR has made every effort to make this information accurate and reliable. However, the information provided is without any guarantee of any kind and its use is entirely at the risk of the user. NFIR assumes no responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided.

SECURITY INCIDENT BIJ UW ORGANISATIE?

De volgende 30 minuten zijn van cruciaal belang​!

De eerste 30 minuten na een cyber security incident zijn cruciaal, omdat een snelle en adequate reactie de schade kan beperken. Daarnaast kan verdere verspreiding van de aanval worden voorkomen en kan essentieel bewijsmateriaal veiliggesteld worden voor nader onderzoek.

Ons Computer Emergency Response Team (CERT) staat 24/7 klaar om bedrijven en organisaties te ondersteunen bij IT-beveiligingsincidenten.

Heeft uw bedrijf professionele hulp nodig bij een beveiligingsincident? 

* LET OP: Wij werken uitsluiten voor bedrijven en organisaties.

SECURITY INCIDENT AT YOUR ORGANIZATION?

The next 30 minutes are crucial!

The first 30 minutes after a cyber security incident are crucial because a quick and adequate response can limit the damage.
In addition, further spread of the attack can be prevented and essential evidence can be secured for further investigation.

Our Computer Emergency Response Team (CERT) is available 24/7 to support businesses and organizations during IT security incidents.

Does your company need professional help with a security incident?

* NOTE: We work exclusively for companies and organizations.