Security researcher Alvaro Muñoz recently warned of a critical vulnerability in versions 1.5 through 1.9 of Apache Commons Text. The flaw, dubbed “Text4Shell” and identified as CVE-2022-42889, can enable remote code execution via the StringSubstitutor API. In response, version 1.10 was released, which disables script interpolation by default.
While the flaw carries a very high severity rating of 9.8 and its name suggests a similarity to the dreaded Log4Shell vulnerability, Rapid7 researcher Erick Galinkin suggested it’s an unfair comparison. “The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input,” he wrote.
WordPress security company Wordfence has detected malicious actors scanning for vulnerable installations, but the firm agreed that Text4Shell carries a much lower risk than Log4j: “the Apache Commons Text library is far less widely used in an unsafe manner and the likelihood of successful exploitation is significantly lower.”
Responding to Text4Shell
Varun Badhwar, CEO and co-founder of Endor Labs, said the vulnerability is concerning but unsurprising. “It’s natural and expected for developers to make mistakes while developing code, especially open source maintainers and contributors for whom this is not a full-time job,” he said.
The greatest problem that Text4Shell will cause for most companies, Badhwar said, is the amount of time required to investigate and remediate the issue. “First and foremost, most organizations lack the tools to quickly discover where this dependency is being used,” he said.
On that level at least, Badhwar said the comparison to Log4Shell is appropriate – the U.S. Cyber Safety Review Board’s most recent report [PDF] on Log4Shell noted that one U.S. government cabinet-level department devoted 33,000 hours to investigating and responding to the flaw.
“While we hope for the best from maintainers, end users of open source software need to invest in dependency lifecycle management solutions that can help them select appropriate dependencies, secure them efficiently, and be prepared to rapidly investigate and respond to such incidents with a high degree of automation,” Badhwar added.
See the Top Code Debugging and Code Security Tools
Dependencies of Dependencies
Endor Labs security researcher Henrik Plate told eSecurity Planet that the obscurity of the affected dependency is the key challenge. “The general problem with vulnerabilities in open source components is that the majority don’t affect components (dependencies) that software developers use directly,” he said. “Instead, those vulnerabilities affect dependencies of dependencies that they use, which makes it really difficult for the developer to assess whether a given vulnerability really matters for the specific software he/she develops.”
In Log4Shell’s case, Plate said, the popularity of Log4j is central to the threat, since “you can find it literally everywhere.”
That’s compounded by the fact that the flaw can impact systems that aren’t directly exposed to the Internet. “A malicious string or text triggering the vulnerability could be submitted by an attacker to one system, then travel through different databases and systems until it exploits a vulnerable system deep inside an organization’s network,” he said.
“Log4j shines a light on the fact that often, the overhead of responding to a widespread vulnerability is more dangerous than the vulnerability itself,” Plate added.
Also read: Software Supply Chain: A Risky Time for Dependencies
Managing the Attack Surface
Badhwar noted in a recent blog post that the average enterprise has over 40,000 open source dependencies directly downloaded by developers – and each of those dependencies brings in an average of 77 other dependencies. “This causes massive and uncontrollable sprawl, which slows development while increasing the attack surface,” he wrote.
What’s more, security teams often have very little visibility into where and how that code is being used, so when a vulnerability is disclosed, determining whether or not you’re impacted can be like searching for a needle in a haystack.
Plate said his company’s method of responding to issues like these is relatively unique. “The distinguishing feature of Endor Labs is to perform static code analysis to check whether the vulnerable piece of code contained in some open source component can be triggered in the context of a given software, no matter how deep the vulnerable component is hidden in the pile of dependencies,” he said.
“That context information is key to giving priority to the dozens of vulnerabilities disclosed on a weekly basis, which result in hundreds and thousands of alerts, many of which must not be brought to the developer’s attention in the first place,” Plate added.