DESCRIPTION:
A Text4Shell vulnerability (CVE-2022-42889) exists in Apache Commons Text, the set of default Lookup instances included interpolators that could result in arbitrary code execution.
AFFECTED RELEASES:
Apache Commons Text version from 1.5 to 1.9
SOLUTION:
Users and system administrators of affected products are advised to refer to the official webpage (https://commons.apache.org/proper/commons-text/download_text.cgi) to update Apache Commons Text to 1.10.0 or above.
REFERENCE:
1. https://nvd.nist.gov/vuln/detail/CVE-2022-42889
2. https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
3. https://www.openwall.com/lists/oss-security/2022/10/13/4
4. https://thehackernews.com/2022/10/hackers-started-exploiting-critical.html
5. https://zh-tw.tenable.com/plugins/nessus/166250
6. https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=10140