A new vulnerability makes waves as hackers are starting to exploit it.
What is it exactly?
It’s a flaw in Apache Commons Text, an open-source Apache library.
Text4Shell, lets an attacker execute arbitrary code on the victim’s machine (Remote Code Execution, aka “RCE”).
Remember Log4Shell from last year? This vulnerability is similar to it by processing values in a way that invokes internal functionalities, which could result in executing malicious code. However, for the ability for an attack to occur, you must have the vulnerable version plus the pattern. Otherwise, it can’t be exploited.
What are the risks?
An attacker can inject malicious input containing keywords that can trigger:
1) A DNS request
2) A call to a remote URL
3) An inline script to execute
CVE-2022-42889, aka Text4Shell, ranked at 9.8 out of 10.0 on the CVSS scale and affected versions 1.5 through 1.9 of the library.
We recommend upgrading the package to version 1.10.0.
CloudWize users got alerted automatically as we collect CVEs regularly.
See how easy it is on CloudWize platform: