This post is to summarize on previous discussion and detection efforts around vulnerabilities in Apache Commons Text, versions 1.5 up to 1.10. Details of the vulnerability are at NVD - CVE-2022-42889 and https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om . This vulnerability is currently rated 9.8 by NVD.
Based on the nature of the vulnerability, comparisons to Log4j are inevitable. The following are my personal thoughts based upon my reading of the vulnerability and exploit news:
-
For detection, the complexity is similar to Log4j, in that we must find a Java library that may be delivered in any number of applications. The commons-text.jar file may present itself on the filesystem, in any path, or may be embedded in a .WAR archive for web-deployed applications.
-
For remediation, the complexity is both simpler and more difficult than Log4j. There is no guidance on modifying the existing-version .JAR files to remove vulnerable classes, the only remediation appears to be replacing commons-text with version 1.10 or higher. To do this requires that each affected application make changes, as the filename may be included in configuration files or application code, so simply removing the older file and adding the newer file is unlikely to suffice.
-
For exploitation, this appears to be more difficult to exploit than Log4j was. Cursory reports are that many applications that make use of commons-text may not be vulnerable to known exploits simply based on the way most applications use the library. With that said, we are beginning to see reports of exploits in the wild. Where vulnerable versions of the commons-text library are detected, you should contact the software vendor to determine your actual vulnerability and mitigation plan.
The BigFix Inventory team has posted a detailed discussion of the vulnerability, as well as custom Inventory signatures that can be used to detect the affected .JAR files. Discussion of the signatures and usage is at
In collaboration with the BigFix Community, I have published two Tasks and an Analysis to detect Apache Commons Text libraries. These scans detect commons-text either as standalone .JAR files, or embedded in WAR archives for web deployment. These perform full filesystem scans and should be scheduled with care, especially on shared resources such as virtualized or shared-storage environments. As these tasks rely entirely on shell scripting, there is no option to throttle scanning, so take care to stagger action-start-times when scanning across multiple machines.
These tasks & analysis are hosted on my personal GitHub page. The content is at BigFix/Test Content/Apache commons-text at master · Jwalker107/BigFix · GitHub and discussion is detailed at the following link. Special thanks to @orbiton and @D.Dean for their help here.
CVE2022-42889 - Apache Commons Text vulnerability
Some may have difficulty reaching GitHub links or downloading content from GitHub. To make it easier to download and use this community content, I have now posted them on bigfix.me. Note the download links will change if & when I make revisions and publish new versions; I will update this post as needed.
- Windows Scan: https://bigfix.me/cdb/fixlet/26955
- Linux Scan: https://bigfix.me/cdb/fixlet/26954
- Analysis Results: https://bigfix.me/cdb/analysis/2998676
As of now, there are no plans to publish out-of-box content for detecting Apache commons-text. This case is a good example of how custom content can extend the reach of BigFix to deal with issues that arise outside of our supported content. If you have difficulty obtaining or using any of this content, please post here.
I hope you find this useful,
@JasonWalker