A vulnerability in the open-source Apache Commons Text library has been patched in version 1.10.0. Apache Commons Text is a Java library with an “interpolation system” that allows developers to modify, decode, generate, and escape strings based on inputted strings lookup. The vulnerability, which was first discovered on March 9, 2022, and dubbed “Text4Shell”, affects various versions between 1.5 and 1.9 and is caused by an unsafe script evaluation by the interpolation system that could trigger code execution when processing malicious input into the library’s default configuration. The updated library disables the problematic interpolators by default.
Due to the widespread deployment of the library, and since vulnerable versions date back to 2018, some people were worried that this vulnerability would cause widespread damage, similar to the Log4Shell vulnerability. However, security researchers at Rapid7 identified that only some of the versions between 1.5 and 1.9 are affected and that it’s exploitation potential is connected to the JDK version used. While there is an updated Proof of Concept (PoC) exploit utilizing the JEXL engine to bypass the JDK limitation, Apache’s security team notes that the string interpolation is a documented feature, making it less likely that applications would use the library to inadvertently pass unsafe input without validation. Additionally, while this vulnerability remained unpatched for seven months, there were no reports of this vulnerability being exploited in the wild.
As time progresses, supply chain attacks are growing to become a popular attack vector among threat actors across the world. Fortunately, it seems that this vulnerability was not exploited in the wild in the seven months that it remained unpatched, but this will likely change. The problem with supply chain attacks is that in many instances, there are limited ways to detect them until they are more broadly known. It is recommended to have a defense in depth strategy with numerous detections deployed to cover a large portion of the cyber kill chain – this ensures that if the remote code execution itself is not caught, one of the actor’s other tactics likely will be. Additionally, the growing use of supply chain attacks demonstrates the need for either an internal or third-party threat intelligence team to ensure that organizations stay up-to-date with the latest vulnerabilities and patches that get released.