Securonix Threat Labs Security Advisory: Apache Commons Text4Shell (CVE-2022-42889) Exploitation – Analysis and Detection

Keypoints

• Text4Shell is a critical remote code execution flaw in Apache Commons Text versions 1.5–1.9; a patch is available in version 1.10.0.
• The vulnerability affects any applications using the Apache Commons Text library and public-facing servers are most at risk, though its scope is not expected to be as wide as Log4Shell or Spring4Shell.
• Exploitation relies on manipulating input prefixes (e.g., URL parameters) to trigger StringLookup evaluation and run code on the host; the attack can be carried out by passing a prefix string in the URL to the vulnerable app. “The attack is not complex and can be carried out simply by passing a prefix string where the prefix is a query which can be fed in via a parameter into the URL of the vulnerable application.”
• Payloads can be delivered via different prefixes, such as script or dns, allowing execution of JavaScript and subsequent shell commands on the host. “The prefix ‘script’ will execute a JavaScript payload which will then run a shell command on the host.”
• Evidence of successful exploitation can include created files like /tmp/whoami.txt containing “root,” indicating remote code execution.
• Post-exploitation scenarios include adding a new user, downloading a webshell or C2 framework beacons (e.g., Cobalt Strike, Sliver) depending on permissions.
• Securonix recommends asset inventory, patching to 1.10.0, and using specific detection queries and policies to identify exploitation attempts.