WordPress safety firm Wordfence on Thursday mentioned it began detecting exploitation makes an attempt focusing on the newly disclosed flaw in Apache Commons Textual content on October 18, 2022.
The vulnerability, tracked as CVE-2022-42889 aka Text4Shell, has been assigned a severity rating of 9.8 out of a potential 10.0 on the CVSS scale and impacts variations 1.5 by way of 1.9 of the library.
It is also much like the now notorious Log4Shell vulnerability in that the issue is rooted within the method string substitutions carried out throughout DNS, script, and URL lookups might result in the execution of arbitrary code on vulnerable programs when passing untrusted enter.
A successful exploitation of the flaw can allow a risk actor to open a reverse shell reference to the susceptible software merely through a specifically crafted payload, successfully opening the door for follow-on assaults.
Whereas the issue was initially reported in early March 2022, the Apache Software program Basis (ASF) launched an updated version of the software program (1.10.0) on September 24, adopted by issuing an advisory solely final week on October 13.
“Luckily, not all customers of this library could be affected by this vulnerability – in contrast to Log4J within the Log4Shell vulnerability, which was susceptible even in its most elementary use-cases,” Checkmarx researcher Yaniv Nizry said.
“Apache Commons Textual content have to be utilized in a sure solution to expose the assault floor and make the vulnerability exploitable.”
Wordfence additionally reiterated that the chance of profitable exploitation is considerably restricted in scope when in comparison with Log4j, with a lot of the payloads noticed to date designed to scan for susceptible installations.
“A profitable try would consequence within the sufferer website making a DNS question to the attacker-controlled listener area,” Wordfence researcher Ram Gall said, including requests with script and URL prefixes have been comparatively decrease in quantity.
If something, the event is one more indication of the potential safety dangers posed by third-party open supply dependencies, necessitating that organizations routinely assess their assault floor and arrange acceptable patch administration methods.
Customers who’ve direct dependencies on Apache Commons Textual content are recommended to improve to the fastened model to mitigate potential threats. In line with Maven Repository, as many as 2,593 initiatives use the Apache Commons Textual content library.
The Apache Commons Textual content flaw additionally follows one other crucial safety weak point that was disclosed in Apache Commons Configuration in July 2022 (CVE-2022-33980, CVSS rating: 9.8), which might result in arbitrary code execution by way of the variable interpolation performance.