Security researchers are tracking a critical vulnerability in the Apache Commons Text library, which could allow an attacker to enable remote code execution. 

The library is mainly focused on algorithms that work on strings. It includes an API, which allows for interpolation or substitution, and for properties to be dynamically evaluated and expanded.

Some functions of the library can lead to remote code execution if attacker controlled data is passed to these functions, according to security researchers at JFrog. 

“The vulnerability can only be exploited in cases where some Java code exists and uses this library and passes attacker-controlled data to specific functions,” Shachar Menashe, senior director of security research at JFrog, said via email. 

The vulnerability, CVE-2022-42889, comes 10 months after the disclosure of the Log4j vulnerability, which was considered one of the most serious such incidents in the last 20 years. That vulnerability led to widespread efforts from nation-state adversaries and criminal actors to launch attacks, but the actual damage was not as bad as originally feared.  

In July, the federal Cyber Safety Review Board issued a report confirming Log4j would not be as impactful as originally feared, but would remain an endemic vulnerability. 

This Apache Commons Text vulnerability is not expected to be as serious as Log4j, because these functions are less likely to receive user input. 

Researchers from GreyNoise said they are aware of proof-of-concept code for the vulnerability that can trigger it in an intentionally vulnerable and controlled environment. 

GreyNoise researchers however are not aware of any examples of widely deployed, real-world applications using the Apache Commons Library in a vulnerable configuration that would allow attackers to exploit the vulnerability with user controlled data. 

A nearly identical vulnerability, tracked as CVE-2022-33980, with the same severity rating of 9.8 was found in July in the Apache Commons Configuration.