Project Hyphae

Trick or Treat? Patch Apache now before the tricksters start to play.

Share This Post

Last Thursday the Apache Software Foundation issued security advisory for a critical vulnerability (CVE-2022-42889). The vulnerability is one which strikes familiar chord, as it shares functional characteristics with the Log4J vulnerabilities seen at the end last year. However, as of yet there is no indication that it has been exploited in the wild.

The vulnerability itself is due to defaults in the Apache Commons Text (ACT) versions 1.5 – 1.9 allowing for insecure variable interpolation – the process of evaluating a string for code which contains placeholders. This can allow arbitrary code execution or contact with remote servers, which is how the Log4j vulnerability exploit played out.

An update for ACT (1.10.0) was released on September 24th, and removes the variable interpolation by default, though the ability to exploit remains if it the variable interpolation is enabled and exposed to direct input.

To add an extra level of scare to the vulnerability, researchers from the threat intel firm GreyNoise have said they are aware of a Proof-of-Concept for the vulnerability to soon become available, and that the vulnerability is very nearly identical to another which was announced this past July, which also was associated with variable interpolation in ACT (CVE-2022-33980).

The one fact that remains to keep this fright from turning into pure horror is that unlike the Log4J vulnerability, websites and apps which make use of this interpolation seem to be far less prevalent.

That said, don’t let yourself fall victim to tricksters, and treat yourself to an ACT update!

More To Explore

Information Security News 1-23-2023

MailChimp Discloses New Breach After Employees Got Hacked Article Link: T-Mobile Suffers 8th Data Breach in Less Than 5 Years Article Link: Hackers

BianLian Ransomware Decryptor Made Public

BianLian, a Windows ransomware variant written in Go, the Google-created open source programming language, has been steadily increasing in popularity among threat actors since it

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.