On Oct. 18/19, 2022, a blog published by GHSL1 researcher Alvaro Muñoz (@pwntester) found vulnerabilities in Apache Commons Text. A bug in the Apache Commons Text library can be used to execute code remotely.
Apache Commons Text is a popular open-source Java library with an “interpolation system” that allows developers to modify, decode and generate character strings based on input strings. The affected products, according to Apache, include at least the following:
Public exploits
Public exploits are available for the described vulnerabilities at the time of writing. NFIR assesses the risk of possible misuse as real.
Recommendation
For developers of applications using Apache Commons Text, the following advice applies:
There is a new version available which can be downloaded from
https://commons.apache.org/proper/commons-text/
NFIR recommends upgrading as soon as possible and then deploying to affected systems and applications. For third-party applications that you use, NFIR recommends that you contact the vendor for any updates.
It is important for your organization to take at least the following steps:
- Check publicly available Indicators-of-Compromise (IoCs) on your systems to determine if any systems may have been compromised, or have external preventive research performed on your systems.
- Implement the workarounds made available, to limit -where possible- the impact.
- Prepare your organization for the situation when patches need to be executed unexpectedly (outside the regular update timeframes) and apply patches in a controlled manner according to the procedure usual for your organization.
- Immediately run the available security updates/patches as soon as they are published on the systems and verify that the updates have actually been applied. In case you have an external IT service provider: Have your provider perform these actions and have them confirm the actions and their result to you in writing.
Do you have systems where the risk is high (for example, systems with very sensitive or special personal data)? If so, do you possibly have indications that the system cannot be mitigated and/or updated immediately? Then consider temporarily disabling the system until it can be updated.
If your organization is suspected to have been the victim of an attack, the urgent advice is to have research conducted into the cause, to what extent attackers may have compromised other systems and what information may have been accessed unauthorized.
- If possible, disconnect affected systems from the network, but leave them on (because of possible traces such as volatile memory – RAM);
- Have the affected systems forensically examined;
- Provide adequate backups;
- Reset your passwords and user data;
- Report to the Police;
- Determine whether or not your organization must report to the Data Protection Authority.
Does your organization currently have an incident? Our Computer Emergency Response Teams (CERT) are available to organizations 24/7 to support IT Security Incidents.
Then call 088 133 0700 and we will do our best to help you as soon as possible.
Disclaimer: NFIR has made every effort to make this information accurate and reliable. However, the information provided is without any guarantee of any kind and its use is entirely at the risk of the user. NFIR assumes no responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided.
