• Disable User
  • Posts
  • Text4Shell, the new unpleasant surprise from Apache.

Text4Shell, the new unpleasant surprise from Apache.

Security weekly

Author

Disable User
October 20, 2022

Hi and welcome to another Security weekly. Where we laugh, we cry and share the latest and greatest in security and tech news.

Did you know? A cat has 32 muscles in each ear. Which my neighbor's cat refuses to use  when I tell him to f*ck off when he's taking a dump in my garden.

In this week's edition:

📝 Vulnerability of the week: Apache Commons Text aka Text4Shell🎣 Grab your rods girls & boys, we're about to go phishing!🔥 the quick and dirty

Reading time: a solid 02:58

Vulnerability of the week: Apache Commons Text aka Text4Shell

Scored with a 9.8 CRITICAL rating on its CVE, this isn't something to scroll past.Although Apache sounds like a "tool we don't use", you'd be surprised where it can be found.Let me guide you through first-aid for 'Text4Shell'.

Okay, lay the juice on me big man. What is it?

Well, the exploit itself is rather technical, so let me do what I do best: make it easy on the eyes.

(I pre-read this to my 4 month old son, and he seemed to understand. Or he just shat himself, either one.)

The Apache Commons Text is a library, a collection of pre-written code.Such libraries exists to support certain features, and make it possible for both the developer as the program to make use of those commands. Also makes it easier for developers to (re-)use functions.Yes? Ok.Every program has libraries, so nothing out of the ordinary there.BUT (of course there's a but, what did you expect?)The Apache Commons Text library has a function that allows commands being overwritten or changed. Luckily there is a feature that checks for unusual or unvalidated input BUT (another one)

It's not enabled by default.Making it possible for people using "plain text" to make use of some commands.This can be done through forms anywhere. Let's say for example a contact form on your website, but also through other systems like user data. Ways you (and me) would never think about.Doesn't sound too good, right?

Where does the name come from?

The name comes from Log4Shell, another vulnerability which caused a lot of sleepless nights for a lot of IT guys back in October 2021. (is this going to be a yearly re-occurrence? 4ShellFestival?)

Since Log4Shell and Text4Shell both share the same 'method', 'application' (Apache) and 'language' (Java), deciding on the name was 'ez' (easy). 

Ok so, what do I do?

There is an update released, version 1.10, which enables input validation by default.The only real struggle is finding which applications in your network are using the Commons Text library.. Most vendors will come out with an update to fix this for you, but be careful with smaller vendors, or inhouse built apps.

You patch. And keep patching. Don't look back!

Grab your rods girls & boys, we're about to go phishing!

Credential phishing that is.

Another good example of a media-hype that's being used in malicious campaigns aimed at stealing your stuff.The - verified - Opera Oviedo account was hacked and quickly changed its name to Elon Musk. You know, the playboy billionaire cowboy space philanthropist. And then started promoting a false site.Why Twitter allows verified accounts to change their name without any further validation is beyond me.Also me:

The quick and dirty

Security like I'm five

Don't have time for hours of research? Don't have 20 years of experience in security? Me neither, but I gotchu fam.In Security like I'm five I cover a range of security topics. I do all the hard work, and explain it to you in a practical matter. Lot's of meme's too. Good stuff, good stuff.This and Security weekly conveniently delivered to your mailbox a couple of times a week, for free.Pretty sweet deal if you ask me.

So sign up for the newsletter and be enlightened! (don't set the bar too high tho)