CVE2022-42889 - Apache Commons Text vulnerability


Does the BigFix Team, have any official/unofficial content for the following vulnerability?

Not yet. I’m beginning to look into it. First impression is that it could be fairly widespread, but not nearly as easy to exploit or as likely to be vulnerable in actual application code as Log4j was.

I have a very basic set of scans and analysis for this on my GitHub page now at if you’d like to give it a test.

These scans are very similar to the Spring Framework scans I published a few months ago. These scan the entire hard drive, searching for the commons-text-*.jar files whether they are standalone files, or embedded in .WAR archives.

There is no throttling of Processor or Disk I/O on these scans. Test with care, especially when scanning multiple endpoints to avoid overwhelming shared infrastructure in virtualization or shared-storage enviroments.

While these scans do attempt to avoid traversing network filesystems, I have only limited resources for testing and may not be able to account for every filesystem type, especially on Linux/UNIX platforms. To detect local filesystems on Linux the script is executing

df -l --output=target -x tmpfs -x devtmpfs | sed 1d

The output should list local filesystems. If network filesystems are listed, those will be scanned and we may need to improve the command to exclude your network filesystem types. I think this scan will be reused as a template as other library vulnerabilities are discovered, so I welcome any improvement to this command.

Once the filesystems are discovered, the ‘find’ command is used to perform the scan, and uses the ‘-xdev’ parameter to avoid traversing mountpoints outside of each scanned filesystem.

So I ran the scan on some windows and some linux systems. I setup the analysis but only the windows machines are showing up in the analysis. None of the linux systems I scanned show up even though the scan came back successful.

Can you check whether the Linux systems created the two output files “apache-commons-text.log” and “apache-commons-text.txt” in the /var/opt/BESClient/Scans directory?

If the .txt file was not created, does the .log file have any useful error messages in it?

[root@cent-1 Scans]# pwd

[root@cent-1 Scans]# ls
apache-commons-text.log grails-databinding-scan-output.txt Spring-scan-output.txt
apache-commons-text.txt grails-databinding-scan.txt Spring-scan.txt

I will have to get a hold of one of the system admins responsible. it may take some time. We also had another major incident come up and have been trying to clean that up, so we are all busy. I will see what I can do to get it today.

so far the only Linux admin that has access is on vacation. I will keep trying

I tried the linux scan as well, I think there is an error in the script, there is only 1 file created and the content is: ./ 5: Syntax error: “(” unexpected


Thank you, I will look into this shortly. Just wanted to acknowledge I’ve seen the responses and appreciate them.

It’s working correctly, at least on my CentOS and RHEL machines. Could you either post or private-message me with the areas from the log that are giving the error? Was that “(” unexpected the only line?

I don’t see any likely spot for the error yet. It could be a shell compatibility of some kind? Under what OS are you seeing this?

I just made a small change to the Linux scan on github. It’s not functionally different, and I don’t expect it to correct the problem you’re seeing, but I enable tracing with the ‘set -o xtrace’ command in the script; that should trigger more verbose output in the .log file.

I’m also assuming sh / bash-like behavior from the shell (which is why I ask about the operating system). I think even Ubuntu’s dash shell should behave this way (when invoked as /bin/sh anyway…).

If you change from “#!/bin/sh” to “#!/bin/bash” - It works as expected

Thanks, that helps. On what operating system are you seeing this behavior?

Ubuntu 20.04, I’ve attached pictures on previous post:slight_smile:

Thanks very much, that helps…a lot.
I’ve built an Ubuntu 22.04 system…and then I lost some time assuming my shell was dash, but my user shell was explicitly /bin/bash instead of /bin/sh…but I’m all caught up now.

The ‘dash’ shell is much stricter in terms of POSIX compliance and doesn’t support some of the statements I was using, that required Bash extensions. I’d rather not have to rely on /bin/bash being present, it seems safer to use only POSIX-compliant statements…with that in mind, I’ve refactored the script and updated it at Github. Please give this version a try and see whether you get better results. This new version is working on CentOS and Ubuntu.

The main change was how the function is defined and how the string comparisons are made.

function handle_file() {{
 echo Handling $1
 if [[ $1 == *\.war || $1 == *\.WAR ||  $1 == *\.zip || $1 == *\.ZIP || $1 == *\.ear || $1 == *\.EAR ]]
 echo "${{1} is an archive, searing content via unzip";
 for embeddedfile in `unzip -Z -1 "$1"  *commons-text-*.jar -x *-sources.jar *-javadoc.jar *-tests.jar`
  echo ${{1}::${{embeddedfile}>>${{OUTPUT_FILE}
echo ${{1}>>${{OUTPUT_FILE}

New version:

handle_file() {{
 echo Handling $1
 case $1 in
 echo "${{1} is an archive, searching content via unzip";
 for embeddedfile in `unzip -Z -1 "$1"  *commons-text-*.jar -x *-sources.jar *-javadoc.jar *-tests.jar`
  echo ${{1}::${{embeddedfile}>>${{OUTPUT_FILE}
 echo ${{1}>>${{OUTPUT_FILE}

@D.Dean were your failing systems also Ubuntu? Can you try the latest version and let me know whether it works for you?

@orbiton Please also try the latest version on yours and let me know if that resolves for you.

I’m asking for feedback on this before I post it to, because every time I update it on the new version gets a new download link, so I want it to be fairly static before I copy it there.

@JasonWalker Works great! Thanks :slight_smile:

1 Like

@JasonWalker Sorry, I have been off since Thursday.

The Linux OSes we have are RH and CentOS.

I dont know if the scan is the issue or if the analysis is. We ran the scan and it says complete but the analysis does not show the results.


We need to get used to this. Seems like these kinds of libraries will be the new attack vector for threat actors.

Are the Linux machines subscribed to the site containing the Analysis?

Can you run the relevance from the Analysis against some of the scanned machines, either with the WebUI Query app or the local Linux QNA utility? I’d like to check whether the output files that I’m expecting were actually created…