Apache Commons Text flaw is different from Log4Shell, experts say

Open-source web server Apache announced a new vulnerability in their library. Some rushed to the conclusion it was Log4Shell all over again. However, researchers say it's a flawed comparison.

The vulnerability was discovered in Apache Commons Text, a library focused on algorithms for character string manipulation that includes data interpolation capabilities.

"As you can imagine, allowing untrusted input, such as data submitted in a web form or content extracted from an email, to be processed by a part of your program that performs substitution or interpolation can be a cybersecurity nightmare," Sophos noted in its analysis of the bug.

The bug's exploitation might result in threat actors injecting their code, making applications vulnerable to remote code execution or contact with remote servers.

Some pundits jumped to conclusions, saying it's Log4Shell over again. However, multiple researchers are now saying this does not appear to be the case.

"The Log4J is a widely used Java library, and any web server running the vulnerable version could have been easily exploited while the Common Text library isn't as prevalent," Christopher Budd, senior manager at Sophos Threat Research, told Cybernews via email.

"Additionally, Log4J can be exploited with generic code, while this new vulnerability likely requires code that is specific and targeted. Finally, most applications will not be passing unsanitized user-provided values to the library's vulnerable functions, reducing or negating the exploitation risks," Budd said.

According to Rapid7 Principal Artificial Intelligence Researcher Erick Galinkin, the newly discovered vulnerability was compared to Log4Shell since it is an open-source library-level vulnerability that is likely to impact a wide variety of software applications that use the relevant object.

"However, initial analysis indicates that this is a bad comparison. The nature of the vulnerability means that, unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input," he said.

Organizations should update to the fixed version according to the "normal, hair-not-on-fire patch cycle."