Act4Shell (CVE-2022-42889): Arbitrary Code Execution in Apache Commons Text

Update 10/21: A version check plugin is now available.

What is Act4Shell?

Act4Shell is the nickname given to a vulnerability in Apache Commons Text, a library that provides algorithms for working with strings. The nickname is derived from the name of the library itself: Apache Commons Text (ACT) and borrows the “4shell” moniker from the Log4Shell nickname.

What is CVE-2022-42889?

CVE-2022-42889 is an unsafe script evaluation vulnerability in the default interpolators in Apache Commons Text’s StringSubstitutor class. An attacker can exploit this vulnerability by passing a specially crafted string containing untrusted data, commonly through a user input field, that is interpolated by the StringSubstitutor class. Successful exploitation would result in arbitrary code execution or cause an application to perform arbitrary lookup to an attacker controlled remote server.

What is the CVSSv3 score for CVE-2022-42889?

NVD assigned a CVSSv3 score of 9.8.

Who discovered Act4Shell?

Researcher Alvaro Muñoz, a security researcher with GitHub Security Lab. An advisory was published to GitHub Security Lab on October 17.

Why is this being compared to Log4Shell?

Act4Shell exists within a third-party library used in open-source projects, similar to Apache Log4j, and because the string interpolation ("${prefix:name}") is similar to what was observed in Log4Shell.

Will Act4Shell have the same impact as Log4Shell?

Unlike the Apache Log4j library that was widely used across a variety of industries and open and closed source software, Muñoz notes that the prevalence of Act4Shell should be “much less” than that of Log4Shell, reducing its impact.

What versions of Apache Commons Text are vulnerable?

According to Apache’s advisory, versions 1.5 through 1.9 of Apache Commons Text are considered vulnerable.

Is there a patch available for this vulnerability?

Yes, Apache Commons Text 1.10.0 was released on September 24, but an advisory was not released until October 13.

How was Act4Shell discovered?

According to Muñoz, the discovery was a result of variant analysis for Log4Shell using CodeQL, a process by which one can leverage a known vulnerability to find similar vulnerabilities within code. Muñoz was also credited with discovering CVE-2022-33980, an arbitrary command execution vulnerability in the Apache Commons Configuration.

CVE-2022-33980 and CVE-2022-42889 (Act4Shell) were discovered using CodeQL and both were reported to Apache on March 9, with a fix for CVE-2022-33980 released in July, and a fix for CVE-2022-42889 released on September 24.

Is Tenable looking into product coverage for this vulnerability?

Yes, product coverage for Act4Shell is being investigated. Once product coverage is available, we will update this community post and/or publish a separate community post with relevant details.

Update 10/19: A detection plugin for Apache Commons Text has been released. A version check plugin is in development. This post will be updated once it is available.

Update 10/21: A version check plugin was released on 10/20.

Is this different from Text4Shell or Log4Text?

No, Text4Shell and Log4Text are other nicknames that have been given to this vulnerability. They are associated with the same CVE.