On 2022-10-13, the Apache Security Team disclosed a critical vulnerability with CVE-2022-42889 affecting the popular Apache Commons Text library. This vulnerability is popularly named “Text4Shell” which when exploited can allow an unauthenticated attacker to execute arbitrary code on the vulnerable asset. A CVSSv3 score of 9.8/10 is assigned to this vulnerability.
Apache Common Text versions 1.5 through 1.9 are impacted by this vulnerability and have been patched with Apache Commons Text version 1.10 and above.
Apache Commons Text is a widely popular low-level library for performing various text operations, such as escaping, calculating string differences, and substituting placeholders in the text with values looked up through interpolators. When using the string substitution feature, some of the available interpolators can trigger network access or code execution. This is intended, but it also means an application that includes user input in the string passed to the substitution without properly sanitizing it would allow an attacker to trigger those interpolators.
Brinqa Response:
Brinqa does include the affected versions in parts of its application, but we do not use untrusted strings as input and we are not vulnerable based on the information we have at this time. We are updating the affected version to 1.10 where this library is used.
Affected products:
-
Brinqa 5.x
-
Brinqa 10.x
More updates to come as we get further information.
If you have any questions or concerns, please contact us at security@brinqa.com.