Skip to main content
close search
site logo
Dive Brief

Apache urges users to upgrade Common Text version to block ‘Text4Shell’ vulnerability

Any connection to Log4j is misapplied, researchers said, because Log4j is a much more widely used Java library.

Published Oct. 19, 2022
David Jones's headshot
Reporter
Digital technology vector background depicting a cyberattack.
WhataWin via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • The Apache Commons Text team is urging users to upgrade to version v1.10.0, which disables faulty interpolators at the center of a critical vulnerability that some security researchers have now dubbed "Text4Shell." 
  • Those using an earlier version of commons text are considered safe from the vulnerability. Apache says users are only affected when using a stringsubstitutor API without properly sanitizing untrusted input, according to a blog post released Tuesday. 
  • The upgrade to v1.10.0 will serve as a quick workaround, however the best option is to properly validate and sanitize any untrusted input.

Dive Insight:

Apache Commons Text is a low-level library used for various text operations, including calculating string differences, escaping as well as substituting placeholders in text. Interpolators are used to look up values, and while using a feature called string substitution, some interpolators can trigger code execution or network access, according to the blog. 

Updating to v1.10.0 disables the problematic interpolators by default, according to Arnout Engelen, security response program manager at Apache. 

The vulnerability was first discovered by Alvaro Muñoz, a member of GitHub Security Lab, and reported to Apache on March 9, according to a blog post. The Apache team acknowledged the disclosure by March 25. 

By May 27 the Apache team confirmed they were disabling the script interpolation by default. They confirmed June 29 they were working on updating commons text and came out with v1.10.0 by October 12.

While the Apache Commons Text vulnerability led to fears of a Log4j type security crisis, researchers from Sophos said any comparison with the Log4j vulnerability is misapplied in this case, noting that Log4j is a much more widely used Java library. 

“Log4j can be exploited with generic code, while this new vulnerability likely requires code that is specific and targeted,” Christopher Budd, senior manager of threat research at Sophos, said. “Most applications will not be passing unsanitized user provide values to the libraries’ vulnerable functions, reducing or negating the exploitation risks.”

Officials at the Apache Software Foundation, when asked about the scope of how widely used Apache Commons Text is, said it “produces software for the public good” and does not not track how releases get used or included in others’ products. 

Researchers at JFrog released an open source tool to detect Java binaries, which are at risk to the vulnerability. 

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell