Last Thursday the Apache Software Foundation issued security advisory for a critical vulnerability (CVE-2022-42889). The vulnerability is one which strikes familiar chord, as it shares functional characteristics with the Log4J vulnerabilities seen at the end last year. However, as of yet there is no indication that it has been exploited in the wild.
The vulnerability itself is due to defaults in the Apache Commons Text (ACT) versions 1.5 – 1.9 allowing for insecure variable interpolation – the process of evaluating a string for code which contains placeholders. This can allow arbitrary code execution or contact with remote servers, which is how the Log4j vulnerability exploit played out.
An update for ACT (1.10.0) was released on September 24th, and removes the variable interpolation by default, though the ability to exploit remains if it the variable interpolation is enabled and exposed to direct input.
To add an extra level of scare to the vulnerability, researchers from the threat intel firm GreyNoise have said they are aware of a Proof-of-Concept for the vulnerability to soon become available, and that the vulnerability is very nearly identical to another which was announced this past July, which also was associated with variable interpolation in ACT (CVE-2022-33980).
The one fact that remains to keep this fright from turning into pure horror is that unlike the Log4J vulnerability, websites and apps which make use of this interpolation seem to be far less prevalent.
That said, don’t let yourself fall victim to tricksters, and treat yourself to an ACT update!