Critical Text4Shell RCE Vulnerability Discovered in Apache Commons Text
A new, highly critical vulnerability dubbed Text4Shell has been discovered in the Apache Commons Text library. This remote code execution (RCE) flaw, reported by Alvaro Muñoz, affects versions 1.5 to 1.9 and has a CVSS v3 score of 9.8.
Text4Shell, unlike its predecessors Log4Shell and Spring4Shell, is not anticipated to be widespread due to the limited use of the affected package and function in production environments. However, it poses a significant risk and should be addressed promptly.
The vulnerability, identified as CVE-2022-42889, can be exploited through untrusted input due to insecure interpolation defaults. To mitigate Text4Shell attacks, it is crucial to patch the affected images as soon as possible. The patched version is 1.10.
Qualys Container Security offers a comprehensive solution for detecting vulnerabilities like Text4Shell across the entire container lifecycle, from build time to runtime. Their sensors can detect Text4Shell in container environments (QID: 988179).
Text4Shell, a critical RCE vulnerability in Apache Commons Text, requires immediate attention. Users should prioritize patching the affected versions (1.5 to 1.9) and consider using tools like Qualys Container Security for detection and prioritization in container environments.
