The newly discovered “Text4Shell” vulnerability (CVE-2022-42889) is making headlines through arbitrary code execution in the Apache Commons Text.
Though similar to previously exploited vulnerabilities, such as the infamous Log4j (CVE-2021-44228), this vulnerability differs as it requires an implementation pattern that may not affect all users.
Even with the differentiating factors, the potential impact remains the same as the most impactful attack a threat actor can launch. We spoke with Yaniv Nizry, AppSec Researcher at Checkmarx to discuss the dangers of this vulnerability and what organizations can do to mitigate their risk.
What is the danger of Text4Shell? How is it similar/different from other threats?
If you are affected by Text4Shell, the impact might be a full compromise of the machine running the vulnerable code.
Arbitrary Code Execution threats are usually rarer, but in this case, given the simplicity of the exploitation, it's likely that attackers will try to blindly scan applications in the wild in the hope of getting a hit and finding vulnerable servers. Who is affected?
Applications that are using vulnerable versions (1.5 through 1.9) of org.apache.commons:commons-text and passing user input (when that user might be an attacker) to a vulnerable function (more information on those functions is in the blog post). How should organizations defend themselves against the threat?
Making sure that your dependencies are up-to-date and free of known vulnerabilities by using SCA (Software Composition Analysis) tools is probably the best way to defend yourself from third-party code vulnerabilities like 'Text4Shell'.
In addition to that, there are tools and products available that can block known attacks in real-time or help companies keep track of their dependencies and vulnerabilities. Do you anticipate similar vulnerabilities like Text4Shell in the future? How can organizations future-proof their defenses?
Definitely, using open-source code in your application these days is almost inevitable, and the number of dependencies available to developers is huge. Highly used dependencies are a great target for attackers to ensure widespread impact. It’s just a matter of time until the next vulnerability gets uncovered. The question is, who finds it first, the bad guys or the good guys? Having future-proof defenses for zero-days (vulnerabilities that didn't get published and fixed) is way harder than protecting organizations from 1-days (public vulnerability). Of course, one can never be certain that there are no unknown vulnerabilities, but steps can be taken in order to reduce these threats such as: using dependencies that have good support, scanning your application (static code or on runtime), detecting attacks in action, and more.