A vulnerability in the open-source Apache Commons Text library has been patched in version 1.10.0. Apache Commons Text is a Java library with an “interpolation system” that allows developers to modify, decode, generate, and escape strings based on inputted strings lookup. The vulnerability, which was first discovered on March 9, 2022, and dubbed “Text4Shell”, affects various versions between 1.5 and 1.9 and is caused by an unsafe script evaluation by the interpolation system that could trigger code execution when processing malicious input into the library’s default configuration. The updated library disables the problematic interpolators by default.
Due to the widespread deployment of the library, and since vulnerable versions date back to 2018, some people were worried that this vulnerability would cause widespread damage, similar to the Log4Shell vulnerability. However, security researchers at Rapid7 identified that only some of the versions between 1.5 and 1.9 are affected and that it’s exploitation potential is connected to the JDK version used. While there is an updated Proof of Concept (PoC) exploit utilizing the JEXL engine to bypass the JDK limitation, Apache’s security team notes that the string interpolation is a documented feature, making it less likely that applications would use the library to inadvertently pass unsafe input without validation. Additionally, while this vulnerability remained unpatched for seven months, there were no reports of this vulnerability being exploited in the wild.