Skip to main content

Apache Software Foundation published an official security advisory on a critical RCE vulnerability in Apache Commons Text Library on 13th Oct. The flaw dobbed Text4shell is being tracked under the identifier CVE-2022-42889 is a critical remote code execution vulnerability with a severity score of 9.8 out of 10 on the CVSS scale. Since the flaw lets attackers execute arbitrary code on the machine which has the vulnerable versions of Apache Commons Text Library on it, it is important to know how to fix Text4shell, a critical RCE vulnerability in Apache Commons Text library.

Let’s see a short note about the Apache Commons Text library, a summary of the Text4shell, the versions affected, and finally, how to fix Text4shell, a critical RCE vulnerability  in Apache Commons Text library in this post.

A Short Introduction About Apache Commons Text Library:

The Apache Commons Text library is a sting substitution Library that provides a set of helpful utilities when working with text in Java. This includes things like generating random strings, calculating Levenshtein distance between two strings, and providing various String formatting options. Overall, the library is built to boost the string functions in Java in addition to the existing default string functions in Java. It is very easy to use and can be a big help when working with text data in Java applications.

Summary of Text4shell Vulnerability

The vulnerability dubbed ‘Text4shell’ or ‘Act4Shell’ is a vulnerability stemmed from the Apache Commons Text Library, an open-source Apache library that is built to provide more string interpolation features like string substitution, lookups, matching and other functions in Java programming.

This vulnerability has been given a score of 9.8 on the CVSS scale and is considered critical in severity. By looking at its severity and its name, ‘Text4shell’, many have started treating this flaw as similar to last year’s Log4Shell vulnerability in the Apache Log4j library. However, due to the less usage of the Apache Commons Text library in comparison with the Apache Log4j library, the exploitability of Text4shell is quite less than Log4shell.

The Text4shell vulnerability is due to the dynamic evaluation and execution of variable interpolation of properties by the Apache Commons Text Library. The vulnerability exists in the StringSubstitutor interpolator object created by the StringSubstitutor.createInterpolator() method of the Apache Common Text library. The method allows various types of sting lookups such as “script”, “DNS”, or “URL” to pass in “${prefix:name}” format.

The attacker will abuse the dynamic evaluation and execution of “script”, “DNS”, or “URL” lookups in the StringSubstitutor interpolator object of the Apache Common Text library by crafting and passing malicious stings to the interpolator object, which eventually executes arbitrary codes on the victim

Methods that allow attackers to use the ScriptStringLookup to trigger arbitrary code execution are:

- StringSubstitutor.createInterpolator()
- StringSubstitutor.replace()
- StringSubstitutor.replaceIn()

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

CVSS Break Up of Text4shell Vulnerability:


See Also How To Fix CVE-2022-22951(2)- Critical Vulnerabilities In VMware Carbon Black App Control Server

Associated CVE ID CVE-2022-42889
Description A Critical RCE Vulnerability in Apache Commons Text
Associated ZDI ID
CVSS Score 9.8 critical
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV) Network
Attack Complexity (AC) Low
Privilege Required (PR) None
User Interaction (UI) None
Scope Unchanged
Confidentiality (C) High
Integrity (I) High
availability (a) High

Wordfence Report on Text4shell Vulnerability

According to the study shared by Wordfence, a well-known security solution for WordPress websites, attackers have started targeting the vulnerability on around 4 million WordPress websites since 18th Oct. The Wordfence Threat Intelligence Team said that DNS lookups are the majority of requests they have seen in their sturdy which are intended to scan for vulnerable installations. Script lookups are the second most prefix they have found being used in their study. Attackers most likely use the Script prefix to execute arbitrary codes on the victim. Compared to DNS and Script lookups, URL lookups are the least requested captures in their study.

IoCs of Text4shell Captured by Wordfence Threat Intelligence Team

List of source IP addresses from where the attacks emerged*****************

List of domains from where the attacks emerged.


The Impact of Text4Shell Vulnerability:

The flaw is rated Critical with a CVSS score of 9.8 out of 10 on the scale. It’s been rated Critical due to its ease of exploitability with huge potential impact in terms of confidentiality, integrity, and availability.

However, the likelihood of the Text4shell vulnerability can’t be equivalent to Log4Shell or Spring4Shell. Because of two reasons:

    1. The use of the Apache Commons Text library is not prevalent as the Apache Log4j library.
    2. Implementation of StringSubstitutor object with some user-controlled input within production environments is not prevalent as the vulnerable string substitution in Apache Log4j library.

    To exploit the Text4shell vulnerability, your system should meet the following requirements:

    • Run a version of Apache Commons Text from version 1.5 to 1.9
    • Use of the StringSubstitutor interpolator with user-controlled input.

    If your system is met with all the requirements required to exploit, the attacker could abuse the flaw to carry out the remote code execution, which further lead to the disclosure of sensitive information, addition or modification of data, Denial of Service (DoS), gain reverse shell access, or in worst case take control of the complete machine.

    Products Affected by Text4shell Vulnerability

    The flaw affects Apache Commons Text library starting from v1.5 to 1.9. To support this, several security researchers have presented their prof of concept on public forums to denote that the Text4shell vulnerability does exist till v1.9. Organizations who use Apache Commons Text library in their application or project would need to check the version of the Apache Commons Text library they use and fix Text4shell as soon as possible.


    See Also A Step-by-step Guide to Configure SSL/TLS for MySQL on Linux

    How To Fix Text4shell- A Critical RCE Vulnerability in Apache Commons Text?

    Apache Software Foundations has fixed the Text4shell vulnerability in its new release, v1.10.0. In v1.10.0, Apache has disabled the problematic interpolators as the default settings. In the version starting from 1.10.0 Apache has removed the DefaultStringLookup.DNSDefaultStringLookup.URL, and DefaultStringLookup.SCRIPT ( DNS, script, and URL ) lookups from the StringLookupFactory.createDefaultStringLookups() method. This made the attacker unable to input the untrusted data and made the Apache Commons Text library secure from the Text4shell vulnerability.

    We recommend upgrading the Apache Commons Text library to v1.10.0 or greater to fix the Text4shell vulnerability permanently. If you are in a position that doesn’t allow you to upgrade the library, then you should initialize the StringSubstitutor with safe StringLookup configurations. Even in the case that your project does require these lookups, you should implement a security sanitization process before passing the untrusted data to the interpolator object.

    Important Note: It is not mandatory to conclude the version of Apache Commons Text library is vulnerable even if you are using less than 1.10.0. If the if this software uses the StringSubstitutor API without properly sanitizing any untrusted input, irrespective of the version, the flaw could be exploitable even in the case of 1.10.0. or higher. 

    Note that you will never get a binary patch from Apache. If you have to work with source code, you should follow the build instructions for the component version listed below that you are currently using.

    If you need help building this component or other support in following these security mitigation instructions for known vulnerabilities, please reach out to the public user mailing list.

    Leave a Reply