top of page
Christopher Lutat

open-appsec/CloudGuard AppSec preemptive protection for text4shell zero-day attack (CVE-2022-42889)

open-appsec/CloudGuard AppSec machine-learning based WAF provides preemptive protection (no software update needed) against the latest “Apache Commons Text” vulnerability (CVE-2022-42889) – a critical zero-day attack, with CVSS Score 9.8/10.


CVE-2022-42889 affects Apache Commons Text versions 1.5 through 1.9. It has been patched as of Commons Text version 1.10. You are advised to patch your servers as recommended by Apache.




This blog provides some background on this new critical vulnerability as well as details on how open-appsec/CloudGuard AppSec was able to prevent it, with the same ML-based approach it also used to preemptively prevent the recent other famous “4shell” exploits “log4shell” (and its mutations) and “spring4shell”.

About Apache Commons Text


Apache Commons is an Apache project focused on all aspects of reusable Java components. The component “Apache Commons Text” is a library focused on algorithms working on strings. It is very broadly used as can be seen by the 2,500 projects which are listed here: Maven Repository: org.apache.commons » commons-text (Usages) (mvnrepository.com)


Critical vulnerability CVE-2022-42889 (CVSS 9.8/10)

On October 13, 2022 CVE-2022-42889 for a new 0-day critical vulnerability in “Apache Commons” was published, which immediately awakens memories on the recent log4shell attacks end of 2021: (CVE details here: NVD - CVE-2022-42889 (nist.gov) )

The vulnerability's CVSS 3.1 base score is 9.8 “CRITICAL” with vector “AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H” This means in short that attacks can be done over the network (remotely exploitable), targets are easy to be exploited, no specific privileges are required, no user interaction needed, with high risk of confidentiality, integrity and availability loss.


The actual vulnerability lies in Commons Text’s functionality to perform variable interpolation, which can be used to evaluate and also expand properties in a dynamic manner using the expression "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. The usage of the included default interpolators in applications can allow remote code execution.


Applications which include a vulnerable version of Commons Text and use the default interpolators can therefor be vulnerable to both: remote code execution as well as unwanted communication with remote servers, in case untrusted config values are used (The insecure interpolators are disabled in v.1.10.0.).


Preemptive “text4shell” prevention using open-appsec


open-appsec/CloudGuard AppSec’s contextual machine learning engine provides preemptive protection against “text4shell” attacks (as also for e.g. Log4shell, Spring4shell) by not relying on a classical signature-based approach, as all traditional WAF solutions do, but instead by using a modern machine learning-based approach, which does not rely on signatures at all. It provides modern, effective protection for Web Applications and APIs against known and unknown attacks and can be deployed in the most common scenarios ranging from e.g. K8s ingress controllers-based protection to virtual machine-based reverse proxies (e.g. by integrating into NGINX). It’s available as a free & open-source community edition.


open-appsec/CloudGuard AppSec uses contextual analysis to learn how users normally interact with your web application. It then uses this information to automatically detect requests that fall outside of normal operations, and sends those requests for further analysis to decide whether the request is malicious or not.


open-appsec/CloudGuard AppSec's Contextual Machine Learning Engine is powered by two different machine learning models:

  • A supervised model that was trained offline and fed with millions of requests, both malicious and benign.

  • An unsupervised model that is being built in real time in the protected environment. This model uses traffic patterns specific to this environment.


Below you can find a screenshot of an open-appsec/CloudGuard AppSec log created for a preemptively prevented text4shell example exploit (based on the “script” lookup prefix explained earlier above), shown as the “Matched Sample” (open-appsec would block any command (not just the one in the example):


${script:javascript:java.lang.Run.Runtime.getRuntime().exec("cat /etc/shadow");}

The HTTP request then got automatically classified based on the found indicators to potential types “Remote Code Execution” and others (see “AppSec Incident Type”)


Conclusion


Preemptive protection against cyber attacks is critical because vulnerabilities may have been known by bad actors before publication and because it naturally takes time for everyone to patch them, also known as “vulnerability window”.


To keep up with the ever-changing threat landscape, it's imperative that security strategies evolve to include new tools with new ideas. open-appsec / CloudGuard AppSec is a fully automated web application and API security solution, powered by a machine learning engine that continuously analyzes and learns from HTTP requests made to your website or API.


You can find more info about zero day attack prevention in general and how open-appsec achieves this in this blog Zero day attack prevention (openappsec.io)




Experiment with open-appsec for Linux, Kubernetes or Kong using a free virtual lab

bottom of page