- The Apache Commons Text team is urging users to upgrade to version v1.10.0, which disables faulty interpolators at the center of a critical vulnerability that some security researchers have now dubbed "Text4Shell."
- Those using an earlier version of commons text are considered safe from the vulnerability. Apache says users are only affected when using a stringsubstitutor API without properly sanitizing untrusted input, according to a blog post released Tuesday.
- The upgrade to v1.10.0 will serve as a quick workaround, however the best option is to properly validate and sanitize any untrusted input.
Apache Commons Text is a low-level library used for various text operations, including calculating string differences, escaping as well as substituting placeholders in text. Interpolators are used to look up values, and while using a feature called string substitution, some interpolators can trigger code execution or network access, according to the blog.
Updating to v1.10.0 disables the problematic interpolators by default, according to Arnout Engelen, security response program manager at Apache.
The vulnerability was first discovered by Alvaro Muñoz, a member of GitHub Security Lab, and reported to Apache on March 9, according to a blog post. The Apache team acknowledged the disclosure by March 25.
By May 27 the Apache team confirmed they were disabling the script interpolation by default. They confirmed June 29 they were working on updating commons text and came out with v1.10.0 by October 12.
While the Apache Commons Text vulnerability led to fears of a Log4j type security crisis, researchers from Sophos said any comparison with the Log4j vulnerability is misapplied in this case, noting that Log4j is a much more widely used Java library.
“Log4j can be exploited with generic code, while this new vulnerability likely requires code that is specific and targeted,” Christopher Budd, senior manager of threat research at Sophos, said. “Most applications will not be passing unsanitized user provide values to the libraries’ vulnerable functions, reducing or negating the exploitation risks.”
Officials at the Apache Software Foundation, when asked about the scope of how widely used Apache Commons Text is, said it “produces software for the public good” and does not not track how releases get used or included in others’ products.
Researchers at JFrog released an open source tool to detect Java binaries, which are at risk to the vulnerability.