Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text

Theres nothing yet to suggest CVE-2022-42889 is the next Log4j. But proof-of-concept code is available, and interest appears to be ticking up.

Researchers are closely tracking a critical, newly disclosed vulnerability in Apache Commons Text that gives unauthenticated attackers a way to execute code remotely on servers running applications with the affected component.
The flaw (
CVE-2022-42889
) has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and exists in versions 1.5 through 1.9 of Apache Commons Text. Proof-of-concept code for the vulnerability is already available, though so far there has been no sign of exploit activity.
The Apache Software Foundation (ASF)
released an updated version
of the software (Apache Commons Text 1.10.0) on September 24 but issued an
advisory on the flaw
only last Thursday. In it, the Foundation described the flaw as stemming from insecure defaults when Apache Commons Text performs variable interpolation, which basically is the process of looking up and
evaluating string values in code
that contain placeholders. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers, the advisory said.
NIST, meanwhile, urged users to upgrade to Apache Commons Text 1.10.0, which it said,
disables the problematic interpolators
by default.
The ASF Apache describes the Commons Text library as providing additions to the standard Java Development Kits (JDK) text handling. Some
2,588 projects
currently use the library, including some major ones such as Apache Hadoop Common, Spark Project Core, Apache Velocity, and Apache Commons Configuration, according to data in the Maven Central Java repository.
In an advisory today, GitHub Security Lab said it was
one of its pen testers
that had discovered the bug and reported it to the security team at ASF in March.
Researchers tracking the bug so far have been cautious in their assessment of its potential impact. Noted security researcher Kevin Beaumont wondered in a tweet on Monday if the vulnerability could result in a potential Log4shell situation, referring to the infamous Log4j vulnerability from late last year.
Apache Commons Text
supports functions that allow code execution
, in potentially user supplied text strings, Beaumont said. But in order to exploit it, an attacker would need to find Web applications using this function that also accept user input, he said. I wont be opening up MSPaint yet,
unless anybody can find webapps
that use this function and allow user supplied input to reach it, he tweeted.
Researchers from threat intelligence firm GreyNoise told Dark Reading the company was aware of PoC for CVE-2022-42889 becoming available. According to them, the new vulnerability is nearly identical to one ASF announced in July 2022 that also was associated with variable interpolation in Commons Text. That vulnerability (
CVE-2022-33980
) was found in Apache Commons Configuration and had the same severity rating as the new flaw.
We are aware of Proof-Of-Concept code for CVE-2022-42889 that can trigger the vulnerability in an intentionally vulnerable and controlled environment, GreyNoise researchers say. We are not aware of any examples of widely deployed real-world applications utilizing the Apache Commons Text library in a vulnerable configuration that would allow attackers to exploit the vulnerability with user-controlled data.
GreyNoise is continuing to monitor for any evidence of proof-in-practice exploit activity, they added.
Jfrog Security said it is monitoring the bug and so far, it appears likely that the impact
will be less widespread than Log4j
. New CVE-2022-42889 in Apache Commons Text looks dangerous, JFrog said in a tweet. Seems to only affect apps that pass attacker-controlled strings to-StringLookupFactory.INSTANCE.interpolatorStringLookup().lookup(), it said.
The security vendor said people using Java version 15 and later should be safe from code execution since script interpolation wont work. But other potential vectors for exploiting the flaw — via DNS and URL — would still work, it noted.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text