Security Advisory: Text4Shell Attack

Tony Loehr
Developer Advocate

GitHub Security Lab recently published a security advisory regarding a newly discovered vulnerability enabling Remote Code Execution (RCE) in Apache Commons Text. Affected versions of Apache Common Text include version numbers 1.5-1.9. The widespread, easy-to-exploit nature of CVE-2022-42889, which loosely mirrors the Log4Shell attack, has earned it the nickname Text4Shell or Act4Shell.

CVE-2022-42889 / Text4Shell Explained

The Text4Shell vulnerability has existed in the wild since 2018. Attacks using this vulnerability have been rising since its discovery. With a criticality score of 9.8, mitigating this vulnerability is critical to preventing remote code execution and privilege escalation. 

What Is CVE-2022-42889?

Apache Commons Text is a library containing Java classes that enable the measuring and manipulation of strings. Attackers can exploit the vulnerability in cases where some Java code uses Apache Commons Text and passes attacker-controlled data to specific functions. The Text4Shell exploit described in CVE-2022-42889 requires the usage of the StringSubstitutor interpolator class to be viable.

Because Text4Shell requires specific conditions, attackers must count on the presence of implementations of certain classes and configurations. By contrast, the Log4Shell vulnerability only requires the presence of the Log4J class to be exploited. For this reason, Text4Shell is likely to be less widespread than Log4Shell. 

CVE-2022-42889 is a vulnerability that enables attackers to bypass security measures and run malicious code on a victim machine. A proof-of-concept verifying this vulnerability was recently published, raising awareness of the issue for defenders and attackers.

Who Does CVE-2022-42889 Affect?

Any organization using Apache Commons Text version 1.5 through version 1.9 is potentially vulnerable to Text4Shell/Act4Shell. To be exploited, the code must use one of the vulnerable functions that expand text with lookups. The vulnerable functions include:

Introduction Key Method
1.3 env  environmentVariableStringLookup()
1.3 localhost localHostStringLookup()
1.3 sys systemPropertyStringLookup()
1.5 const constantStringLookup()
1.5 date dateStringLookup()
1.5 file fileStringLookup()
1.5 java javaPlatformStringLookup()
1.5 properties propertiesStringLookup()
1.5 urlDecoder urlDecoderStringLookup()
1.5 urlEncoder urlEncoderStringLookup()
1.5 xml xmlStringLookup()
1.5 url urlStringLookup()
1.5 script scriptStringLookup()
1.6 base64Decoder base64DecoderStringLookup()
1.6 base64Encoder base64EncoderStringLookup()
1.6 resourceBundle resourceBundleStringLookup()
1.8 dns dnsStringLookup()


Using the default string interpolator through these methods may lead to remote execution through attacker-controlled data.

How Do I Mitigate the Risk of Being Affected by Text4Shell?

Upgrading to Apache Common Text 1.10.0 or newer provides the necessary security fix to mitigate the risk of CVE-2022-42889. 

Similarly to Log4J, a challenge to protecting your organization involves visibility. Beyond just direct dependencies, transitive dependencies with an affected version of Apache Common Text are just as capable of compromising the project’s security.

How Cycode Can Help Prevent Text4Shell

Cycode offers Next-Gen SCA: Pipeline Composition Analysis to help prevent vulnerabilities like CVE-2022-42889 from becoming a liability to your organization. Pipeline Composition Analysis (PCA) builds upon the capabilities of Software Composition Analysis (SCA) tools by scanning not just source code for dependencies, but every other potential location throughout the development and deployment pipeline, such as within Kubernetes clusters

Because Cycode gives you visibility into your entire development pipeline, you can easily trace the path of a vulnerability from code to deployment locations to ensure that your organization has remediated every instance of a vulnerability. This context further enables security teams to prioritize exploitable configurations, helping slice through the noise of false positives.

Increased Visibility

Cycode gives you complete visibility of all the tools, processes, and dependencies that make up your SDLC. Traditional SCA solutions only look at application code, which means they provide no visibility into your development and deployment environments. When new vulnerabilities like CVE-2022-42889 are disclosed, Cycode’s visibility allows you to immediately understand whether your organization is at risk. The additional context provided by PCA helps slice through the noise of false positives.

Expanded Dependency Scanning

Unlike traditional SCA solutions, Cycode scans beyond application code throughout the development and deployment pipeline to find vulnerable dependencies that might present a risk. Vulnerable dependencies exist in more places than just source code, including build files, Jenkins Plugins, GitHub Actions, IaC templates, and more.

Cycode scans all of these dependencies for Text4Shell so that you can be sure every instance of the vulnerability is found and remediated.

Development to Deployment Locations

Cycode gives you visibility into your entire development pipeline, so you can easily trace the path of a vulnerability from code to deployment locations, such as identifying which Kubernetes clusters contain a specific vulnerability. This enables organizations to respond faster and ensures that every instance of a vulnerability has been remediated. Because Text4Shell is so ubiquitous, all instances must be remediated to fully eliminate the risk of a breach.

Threat Intelligence Alerts

Cycode’s Threat Intelligence dashboard alerts you when new vulnerabilities arise. It also provides alerts if any of your assets are vulnerable to these threats. 

Remediating Text4Shell Using a Code-to-Cloud Approach

In addition to PCA capabilities, Cycode provides a multi-pronged approach that helps prevent vulnerabilities like CVE-2022-42889 that arise from a lack of visibility and governance. The code-to-cloud approach to security helps detect instances of vulnerabilities in source code, build systems, deployment locations, and more. Cycode’s knowledge graph enables this capability:

Cycode’s knowledge graph provides valuable insights into project configurations. This information enables prioritization based on exploitability. Insights provided by Cycode’s knowledge graph help provide full visibility over dependencies.

In this graphic, we return assets vulnerable to CVE-2022-42889.

The Cycode platform also helps prevent known pipeline vulnerabilities from entering your codebase in the first place through developer-friendly workflows that introduce security at the earliest stages of development. In addition, the Cycode CLI provides early warnings to developers, preventing secrets and IaC misconfigurations from ending up in source control, saving valuable developer time.

Learn more

Cycode is your best line of defense in identifying and remediating vulnerable dependencies. When a new vulnerability like CVE-2022-42889 is disclosed, Cycode scans your entire SDLC to identify every instance of the vulnerability so you can be sure you’re secure.

Want to learn more? Schedule a demo or try us for free today.