You are here

Text4Shell

IDs: 
CVE-2022-42889
Keywords: 
commons, text4shell
Description: 

Text4Shell is a critical remote code execution (RCE) vulnerability in the Apache Commons text library [1]. Apache Commons text is a Java library focused on algorithms working on strings 

The library performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers.

Example exploit string:

${script:javascript:java.lang.Run.Runtime.getRuntime().exec("cat /etc/shadow");}

The library is available/used by Airlock IAM and Gateway/Microgateway (Builder) but the affected functionality is not used. Airlock Microgateway/Gateway and IAM is therefore not affected.

Airlock Microgateway/Gateway protects typical vulnerable systems with the Default Deny Rules in level Standard and Strict.

 

Resolution: 

We recommend to update vulnerable back-end systems as soon as possible even when a proper configured Airlock Gateway/Microgateway might prevent exploitation of the vulnerability.

For Airlock Gateway make sure that the following Deny Rules Group is enforced in Level Standard or Strict:

  • Airlock Gateway 7.8 and above: (default TI_001a) Template injection
  • Airlock Gateway 7.6 and 7.7: (default TI_001a) Template injection
Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock