CVE-2022-42889 Overview
Apache Commons Text versions 1.5 through 1.9 contain a critical code injection vulnerability in the variable interpolation functionality, commonly referred to as "Text4Shell." The library performs variable interpolation using the format ${prefix:name}, where the prefix determines which StringLookup instance handles the interpolation. The default configuration included dangerous interpolators that enable arbitrary code execution, DNS lookups, and remote URL fetching when processing untrusted input.
The affected interpolators include:
- script - Executes expressions using the JVM script execution engine (javax.script)
- dns - Resolves DNS records, potentially leaking sensitive information
- url - Loads values from URLs, including remote servers
Critical Impact
Applications using Apache Commons Text 1.5-1.9 with default interpolation settings are vulnerable to remote code execution if untrusted configuration values are processed. Attackers can execute arbitrary commands on the target system with no authentication required.
Affected Products
- Apache Commons Text 1.5 through 1.9
- NetApp BlueXP
- Juniper Security Threat Response Manager (versions through 7.5.0-UP3)
- Juniper JSA Series Appliances (JSA1500, JSA3500, JSA3800, JSA5500, JSA5800, JSA7500, JSA7800)
Discovery Timeline
- October 13, 2022 - CVE-2022-42889 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-42889
Vulnerability Analysis
The vulnerability exists in the StringSubstitutor class and its associated StringLookup implementations within Apache Commons Text. When the library processes strings containing interpolation expressions, it resolves them using registered lookup instances. By default, several dangerous lookups were enabled that provide direct access to system capabilities including script execution, DNS resolution, and URL fetching.
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code / Code Injection). The attack requires no authentication and can be executed remotely over the network with low complexity. A successful exploit grants attackers the ability to execute arbitrary code with the same privileges as the vulnerable application, potentially leading to complete system compromise, data theft, or lateral movement within the network.
Root Cause
The root cause lies in the insecure default configuration of the StringLookup interpolators in Apache Commons Text. The library's design allowed powerful system capabilities to be exposed through simple string interpolation syntax without requiring explicit opt-in from developers. The ScriptStringLookup, DnsStringLookup, and UrlStringLookup classes were all included in the default lookup registry, enabling attackers to leverage these capabilities simply by injecting malicious interpolation strings into user-controlled input that gets processed by the library.
Attack Vector
Exploitation occurs when an attacker can inject a specially crafted interpolation string into any application input that is subsequently processed by StringSubstitutor or related classes. The attack payload uses the ${prefix:name} format to invoke dangerous lookups:
- ${script:javascript:...} - Executes JavaScript code via the JVM script engine
- ${dns:address|...} - Performs DNS lookups that can exfiltrate data
- ${url:http://...} - Fetches content from remote URLs, enabling SSRF attacks
The following proof-of-concept demonstrates remote code execution by executing a system command:
${script:javascript:java.lang.Runtime.getRuntime().exec('mkdir poc-test')}
Source: CVE-2022-42889 PoC Repository
Detection Methods for CVE-2022-42889
Indicators of Compromise
- Presence of Apache Commons Text versions 1.5 through 1.9 in application dependencies (check pom.xml, build.gradle, or JAR files)
- Log entries containing interpolation patterns such as ${script:, ${dns:, or ${url: in request parameters or user input
- Unexpected outbound DNS queries or HTTP connections from application servers
- Evidence of suspicious process spawning from Java application processes
- Network traffic containing Base64-encoded or obfuscated interpolation payloads
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block requests containing ${script:, ${dns:, and ${url: patterns
- Deploy runtime application self-protection (RASP) solutions to monitor javax.script API usage and block unauthorized script execution
- Use Software Composition Analysis (SCA) tools to identify vulnerable Apache Commons Text versions in your dependency tree
- Monitor Java process behavior for unexpected child process creation or network connections
Monitoring Recommendations
- Enable verbose logging for applications using Apache Commons Text to capture interpolation processing events
- Configure SIEM rules to alert on patterns matching Text4Shell exploitation attempts in HTTP request logs
- Monitor for anomalous DNS query patterns that may indicate data exfiltration via DNS lookups
- Set up alerts for unexpected outbound connections from application servers to unknown external hosts
How to Mitigate CVE-2022-42889
Immediate Actions Required
- Upgrade Apache Commons Text to version 1.10.0 or later, which disables the problematic interpolators by default
- Conduct a dependency audit to identify all applications and components using vulnerable Apache Commons Text versions
- Apply vendor patches for affected products including NetApp BlueXP and Juniper Security Threat Response Manager
- Implement input validation to reject strings containing interpolation patterns if immediate patching is not possible
Patch Information
Apache has released version 1.10.0 of Commons Text which addresses this vulnerability by disabling the dangerous script, DNS, and URL interpolators by default. Users should upgrade immediately to this version or later. For detailed information, see the Apache Security Advisory.
Additional vendor patches are available:
- NetApp Security Advisory NTAP-20221020-0004
- SonicWall Security Advisory SNWLID-2022-0022
- Gentoo Linux Security Advisory GLSA 202301-05
Workarounds
- If upgrading is not immediately possible, explicitly configure StringSubstitutor to use only safe lookups by creating a custom StringLookup registry that excludes script, dns, and url lookups
- Implement strict input validation to sanitize or reject any user input containing the ${ pattern before processing
- Use a Web Application Firewall to block requests containing known malicious interpolation patterns
- Consider network segmentation to limit the impact of potential exploitation by restricting outbound connections from application servers
# Maven dependency update to patched version
# Update pom.xml to use Apache Commons Text 1.10.0 or later:
# <dependency>
# <groupId>org.apache.commons</groupId>
# <artifactId>commons-text</artifactId>
# <version>1.10.0</version>
# </dependency>
# Verify current version in your project
mvn dependency:tree | grep commons-text
# Force update to patched version
mvn versions:use-latest-releases -Dincludes=org.apache.commons:commons-text
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
