Apache Commons Text Critical Advisory

Researchers are tracking a recently discovered vulnerability in Apache Commons Text that gives unauthenticated attackers a way to execute code remotely on servers running applications with the affected component.

Tracked as CVE-2022-42889 has a CVSS of 9.8 out of a 10.0 and exists in versions 1.5 through 1.9 of Apache Commons Text. PoC code for the vulnerability is already available, though there is no sign of exploit activity.

The Apache Software Foundation released an updated version of the software on September 24 but issued an advisory last week. The flaw is described as stemming from insecure defaults when Apache Commons Text performs variable interpolation, which basically is the process of looking up and evaluating string values in code that contain placeholders.

NIST, urged users to upgrade to Apache Commons Text 1.10.0, which it said, “disables the problematic interpolators by default.”

The ASF Apache describes the Commons Text library as providing additions to the standard Java Development Kit’s text handling. Some 2,588 projects currently use the library, including some major ones such as Apache Hadoop Common, Spark Project Core, Apache Velocity, and Apache Commons Configuration.

GitHub Security Lab in it’s advisory said it was one of its pen testers that had discovered the bug and reported it to the security team at ASF in March.

Customers using Java version 15 and later should be safe from code execution since script interpolation won’t work. But other potential vectors for exploiting the flaw via DNS and URL would still work, it noted.