Project Hyphae

Trick or Treat? Patch Apache now before the tricksters start to play.

Share This Post

Last Thursday the Apache Software Foundation issued security advisory for a critical vulnerability (CVE-2022-42889). The vulnerability is one which strikes familiar chord, as it shares functional characteristics with the Log4J vulnerabilities seen at the end last year. However, as of yet there is no indication that it has been exploited in the wild.

The vulnerability itself is due to defaults in the Apache Commons Text (ACT) versions 1.5 – 1.9 allowing for insecure variable interpolation – the process of evaluating a string for code which contains placeholders. This can allow arbitrary code execution or contact with remote servers, which is how the Log4j vulnerability exploit played out.

An update for ACT (1.10.0) was released on September 24th, and removes the variable interpolation by default, though the ability to exploit remains if it the variable interpolation is enabled and exposed to direct input.

To add an extra level of scare to the vulnerability, researchers from the threat intel firm GreyNoise have said they are aware of a Proof-of-Concept for the vulnerability to soon become available, and that the vulnerability is very nearly identical to another which was announced this past July, which also was associated with variable interpolation in ACT (CVE-2022-33980).

The one fact that remains to keep this fright from turning into pure horror is that unlike the Log4J vulnerability, websites and apps which make use of this interpolation seem to be far less prevalent.

That said, don’t let yourself fall victim to tricksters, and treat yourself to an ACT update!

Reach out to our incident response team for help

More To Explore

Information Security News 11-27-2023

East Texas Hospital Network Can’t Receive Ambulances Because of Potential Cybersecurity Incident Article Link: Canadian Government Discloses Data Breach After Contractor Hacks Article Link:

Information Security News 11-20-2023

PJ&A Says Cyberattack Exposed Data of Nearly 9 Million Patients Article Link: Google Workspace Weaknesses Allow Plaintext Password Theft Article Link: New York

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.