Further information
Commons Text is a general-purpose text manipulation toolkit, described simply as “a library focused on algorithms working on strings”.
Even if you are a programmer who has not knowingly chosen to use it yourself, you may have inherited it as a dependency – part of the software supply chain – from other components you are using.
Also, if you do not code in Java, or are not a programmer at all, you may have one or more applications in your business that contains this library.
Nexus strongly recommends you to contact your other suppliers as well.
Technical information for those further interested in the vulnerability
The Commons Text toolkit includes a handy Java component known as a StringSubstitutor
object, created with a Java command like this:
StringSubstitutor interp = StringSubstitutor.createInterpolator();
Once you have created an interpolator, you can use it to rewrite input data in handy ways. See an example below:
String str = "You have-> ${java:version}";
String rep = interp.replace(str);
Example output: You have-> Java version 19
String str = "You are-> ${env:USER}";
String rep = interp.replace(str);
Example output: You are-> duck
The replace()
function processes its input string as if it is a kind of simple software program in its own right, copying the characters one-by-one except for a variety of special embedded ${...}
commands that are very similar to the ones used in Log4J.
Examples from the documentation (derived directly from the source code file StringSubstitutor.java
) include:
Programming function Example
-------------------- ----------------------------------
Base64 Decoder: ${base64Decoder:SGVsbG9Xb3JsZCE=}
Base64 Encoder: ${base64Encoder:HelloWorld!}
Java Constant: ${const:java.awt.event.KeyEvent.VK_ESCAPE}
Date: ${date:yyyy-MM-dd}
DNS: ${dns:address|apache.org}
Environment Variable: ${env:USERNAME}
File Content: ${file:UTF-8:src/test/resources/document.properties}
Java: ${java:version}
Script: ${script:javascript:3 + 4}
URL Content (HTTP): ${url:UTF-8:http://www.apache.org}
URL Content (HTTPS): ${url:UTF-8:https://www.apache.org}
The dns
, script
and url
functions are particularly dangerous, since they could lead to untrusted data, received from outside your network, but processed or logged on one of the business logic servers inside your network, doing the following:
dns: Lookup a server name and replace the ${...} string with the given value returned. If attackers use a domain name they themselves own and control, then this lookup will terminate at a DNS server of their choosing. (The owner of a domain name is, in fact, obliged to provide what is known as definitive DNS data for that domain.)
url: Lookup a server name, connect to it using HTTP or HTTPS, and use what is sent back instead of the string ${...}. The danger posed by this behavior depends on what the replacement string is used for.
script: Run a command of the attacker's choosing. We were only able to get this function to work with older versions of Java, because there is no longer a JavaScript engine built into Java itself. But many companies and apps still use old-but-still-supported Java versions such as 1.8 (JDK 8) and 11.0 (JDK 11), on which the dangerous ${script:javascript:...} remote code execution interpolation trick works just fine.
-----
String str = "DNS lookup-> ${dns:address|nakedsecurity.sophos.com}";
String rep = interp.replace(str);
Output: DNS lookup-> 192.0.66.227
-----
String str = "Stuff sucked from web-> ---BEGIN---${url:UTF8:https://example.com}---END---"
String rep = interp.replace(str);
Output: Stuff sucked from web-> ---BEGIN---<!doctype html>
<html>
<head>
<title>Example Domain</title>
. . .
</head>
<body>
<div>
<h1>Example Domain</h1>
[. . .]
</div>
</body>
</html>---END---
-----
String str = "Run some code-> ${script:javascript:6*7}"
String rep = interp.replace(str);
Output: Run some code-> 42
Sources: https://nakedsecurity.sophos.com/2022/10/18/dangerous-hole-in-apache-commons-text-like-log4shell-all-over-again/