Security News > 2022 > October > Apache Commons Text flaw is not a repeat of Log4Shell (CVE-2022-42889)
A freshly fixed vulnerability in the Apache Commons Text library has been getting attention from security researchers these last few days, worrying it could lead to a repeat of the Log4Shell dumpster fire.
The final verdict shows there's no need to panic: while the vulnerability is exploitable, "The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input," says Rapid7 AI researcher Erick Galinkin.
CVE-2022-42889, discovered and reported by security researcher Alvaro Muñoz, is a vulnerability in the popular Apache Commons Text library, which is focused on algorithms working on strings.
"Organizations who have direct dependencies on Apache Commons Text should upgrade to the fixed version," Galinkin advised.
"As with most library vulnerabilities, we will see the usual tail of follow-on vendor advisories with upgrades for products that package vulnerable implementations of the library. We recommend that you install these patches as they become available, and prioritize any where the vendor indicates that their implementation may be remotely exploitable."
"The Log4J is a widely used Java library and any webserver running the vulnerable version could have been easily exploited while the Common Text library isn't as prevalent," says Christopher Budd, Senior Manager, Sophos Threat Research.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-13 | CVE-2022-42889 | Code Injection vulnerability in multiple products Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. | 9.8 |