You are here
Text4Shell
Last update on 21. October 2022 - 11:41.
Text4Shell is a critical remote code execution (RCE) vulnerability in the Apache Commons text library [1]. Apache Commons text is a Java library focused on algorithms working on strings
The library performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers.
Example exploit string:
${script:javascript:java.lang.Run.Runtime.getRuntime().exec("cat /etc/shadow");}
The library is available/used by Airlock IAM and Gateway/Microgateway (Builder) but the affected functionality is not used. Airlock Microgateway/Gateway and IAM is therefore not affected.
Airlock Microgateway/Gateway protects typical vulnerable systems with the Default Deny Rules in level Standard and Strict.
We recommend to update vulnerable back-end systems as soon as possible even when a proper configured Airlock Gateway/Microgateway might prevent exploitation of the vulnerability.
For Airlock Gateway make sure that the following Deny Rules Group is enforced in Level Standard or Strict:
- Airlock Gateway 7.8 and above: (default TI_001a) Template injection
- Airlock Gateway 7.6 and 7.7: (default TI_001a) Template injection