A new vulnerability in Apache, identified in the open source Commons Text library, alarm all IT administrators.

The new vulnerability has been named Text4Shell, and the foundation at Apache has corrected this serious flaw by upgrading the open source library to version 1.10.0.

Vulnerability CVE-2022-42889

The Text4Shell vulnerability, tracked as CVE-2022-42889 and ranked with a CVSS severity index of 9.8 out of 10.0, is RCE (remote mode code execution) and could allow an attacker to execute arbitrary code on the target computer and compromise the entire host.

In the exploit, basically the “netcat”(nc) command would be used to open a reverse shell on the vulnerable application. Apache has already released a library update that fixes this problem of several libraries. Although this vulnerability has remained uncorrected for seven months, no known documented cases of exploitation have appeared.

Text4Shell: vulnerability in Apache

With the library update, what is resolved involves the default setting of the problematic interpolators, which is in fact disabled.

Affected organizations are certainly urged to correct the flaw immediately through the update from the official Apache source.