The Apache Foundation has published a message on its mailing list pointing to a vulnerability in the Apache Commons Text project code, which is similar to the Log4shell bug. The vulnerability affects Java deserialization and exploitation. It affects the OpenJDK 8 implementation.
Remote code execution
The Apache Commons Text library has been found to contain a remote code execution flaw. This flaw is similar to the recent “Log4j bug” (CVE-2021-44228) that popped up in that popular open-source library. The main difference between the two is that Apache Commons Text is used less frequently and in fewer applications, and the chances of successfully exploiting this flaw are much lower.
This vulnerability affects the dns, script, and url instances of Apache Commons Text. The affected versions of the library range from 1.5 to 1.9. Users affected should upgrade to a fixed version. The vulnerability can be detected remotely using the dns prefix or url prefix. The url prefix will offer more accurate results.
The Apache Foundation has not released the details of this vulnerability but has acknowledged that the vulnerability is “severe”. The problem originates from Log4j’s deserialization code. It allows an attacker to make network requests to a database, obtain arbitrary code, and execute it in the context of the victim. This vulnerability is particularly problematic because log4j is used by millions of applications.
An important vulnerability in Apache Commons Text library relates to unsafe script evaluation. The default interpolators of the StringSubstitutor class can allow arbitrary code execution. This bug affects Apache Commons Text versions 1.5 through 1.9. As a result, it is critical that users do not use Apache Commons Text with default configurations.
This vulnerability can cause a remote attacker to execute code in the context of a privileged log. A remote attacker can also access sensitive data. Those who are vulnerable to this vulnerability should upgrade their Java versions immediately. It’s recommended that organizations with vulnerable Java versions update their software to release 2.12.2.
While the bug is not as severe as the Log4j bug, it still causes a major security concern. It affects versions of Java as far back as 2018. While some versions of the software are vulnerable, the latest proof of concept exploit bypasses this limitation.
Java deserialization
In the same way that the Log4j bug impacted Java deserialization, the Apache Commons Text library has been found to contain a critical vulnerability. This vulnerability affects Java versions 1.5 to 1.9, including Java 8. It affects the string substitution feature, which is used to perform network access and code execution. The vulnerability has been tracked as CVE-2022-42889, and the Apache Software Foundation has issued a security advisory regarding this issue.
This vulnerability is similar to the one found in Log4j, but is easier to exploit. This vulnerability allows a specially crafted binary payload to be sent to a TCP or UDP socket server, which in turn executes arbitrary code when deserialized.
The Apache Commons Text team is aware of the vulnerability, and has patched it. It has also fixed typos, added resources, and clarified the requirements for exploiting the vulnerability. Its severity rating is now 9.8.
The new version of Logback supports level changes and j.u.l. framework, which will reduce the performance impact of disabled log statements. Moreover, it has added support for variable substitution in the appender-ref element. This fix will help improve the performance of Logback. This feature is based on the Geronimo JMS API specifications. Unless you’re using Java, you’ll need to manually install these libraries, although you can use Maven to install them.
The latest version of Logback has several important fixes and bug corrections. It also has an updated documentation. In the manual, there are two new chapters that explain the functionality of Logback. The documentation has also been significantly improved. The new version of Logback is binary-compatible.
NIST published details on this issue on December 9th, 2021. While details on the scope and severity of the vulnerability are still unclear, it’s important to note that the vulnerability affects both Java 8 and Java 7. Upgrade to Java 8 or 2.12.2 as soon as possible. The affected Java versions are the log4j-core and log4j-api JAR files.
The new vulnerability affects any server that receives user data. This means that even secure servers can be affected. A vulnerability in this library could potentially allow attackers to intercept and execute code.
Exploitation
Apache Log4j has a vulnerability called “Log4Shell” that can be exploited with the help of malicious code. This bug affects any server that receives user data. This means even secure servers can be compromised. There are several mitigation techniques that can help mitigate this bug.
The vulnerability affects Apache Commons Text versions 1.5 through 1.9 and all JDK versions. It affects the string substitution feature of the language and can allow for network access and code execution. The Apache Commons Text team has released an updated version, and has posted two example scripts for remote detection.
The vulnerability is due to a vulnerability in the Apache Commons Text library, which contains algorithms for character string manipulation and data interpolation capabilities. It could make your application vulnerable to remote code execution, which is a cybersecurity nightmare. As a result, it is imperative to use Apache Commons Text only when you can trust the input.
As soon as a 0-day vulnerability is disclosed, it is important to update vulnerable applications. The vulnerability affects cloud services, such as Amazon Web Services, and is similar to the one found in the Log4j bug. The Apache Software Foundation lists the vulnerability as CVSS 6.6 and is considered moderately severe. VMware is currently investigating the issue and is expected to release guidance soon.
The vulnerability can be exploited by modifying Log4j configuration files. VMware recommends that customers upgrade to the latest major release of this product. This includes the patch for Log4j as well as other fixes for other vulnerabilities. This vulnerability should be resolved immediately.
Impact on OpenJDK 8 implementation
An Apache Commons Text vulnerability was recently discovered. The vulnerability affects versions 1.5 and above, and has been fixed in recent releases. This vulnerability affects string substitution and could allow remote code execution or network access. The security team has released an updated configuration to make the vulnerability less likely.
To exploit the vulnerability, an attacker must access an application that relies on Commons Text. This is relatively easy to do. For example, an attacker can control the HTTP User Agent header, allowing them to execute code in the context of the user. The vulnerability is likely to be exploited in a large number of Java applications. The vulnerability has the potential to result in data breaches.
This vulnerability affects many Java applications, including the popular Apache Commons Text library. Depending on the version of the JDK that you’re using, a malicious actor can execute arbitrary code on your system. As a result, it’s important to patch affected systems.
The security team has updated the implementation of Apache Commons Text to correct this issue. While this vulnerability is less widespread and harder to exploit than similar vulnerabilities, organizations should still upgrade to the latest library. The NVD severity rating for this vulnerability is 9.8.
Apache Commons Text contains a critical vulnerability in its core library, primarily for algorithms that manipulate character strings. It also contains an API for interpolation and substitution, which can allow arbitrary code execution. As such, attackers could exploit the vulnerability by using a user-controlled data.
