New Apache Commons Text CVE feels like déjà vu all over again

Dan Lorenc, CEO
October 18, 2022

NIST’s newest entry into the National Vulnerability Database (NVD)--CVE-2022-42889 (aka, “Apache Commons Text”)--has so much in common with the infamous, and almost a year old Log4shell vulnerability, that Chainguardians and folks in industry have already started calling it “Text4Shell.”

The familiar part is that Apache Commons Text is a widely-used open source Java library and therefore represents a vast threat surface. According to Google’s open source software usage dataset, over 20,000 other open source projects depend upon vulnerable versions of Apache Commons Text either directly or indirectly, though this number will decrease as these projects upgrade to the newest version of Apache Commons Text.

NVD labeled this a 9.8 severity level– slightly less severe than Log4shell, but if you are running this config in your environment, you will want to do something about it (update to the latest patched version) and quickly since reports of a working proof of concept exploit are circulating. 

The most painful part of Text4Shell will again be the dread that security teams face in knowing they have to manually audit their environments, and the challenge of answering the simple question of whether (and where) they are running this very common library.

At Chainguard, we have deployed a policy in Chainguard Enforce that allows current customers to quickly identify if this vulnerability is present in your environment and offers remediation guidance. More details on that policy below. 

Remediate with Chainguard Enforce

Chainguard has published a sample policy for Enforce on our GitHub, which can be installed into a cluster to identify and optionally block workloads containing vulnerable versions of Apache Commons Text from running on customer clusters.  To install the policy, customers can do the following:

-- CODE language-bash -- # curl -o text4shell-policy.yaml # chainctl policies create --group $CUSTOMER_GROUP -f text4shell-policy.yaml # kubectl label ns default --overwrite

To uninstall the policy, customers can do the following:

-- CODE language-bash -- # chainctl policy delete -y $(chainctl policy list -o json | jq -r '[.items[] | select(.name == "vuln-cve-2022-42889-text4shell")][0].id')

Customers may also find the extended discussion about policies in Enforce, including continuous verification, helpful.

Teams that are not yet using Chainguard Enforce today may benefit from our free trial.


The unfortunate reality is that vulnerabilities like Text4shell and Log4shell are only going to become more prevalent. According to a recent Sonatype report, 1.2 billion known-vulnerable dependencies that could be avoided are being downloaded every month, pointing to non-optimal consumption behaviors as the root of open source risk. 

This is easily one of the biggest challenges facing organizations today when it comes to securing their software supply chains. At Chainguard, we are committed to tackling this problem by providing developers and security leaders with the tools needed to build software securely and make remediation of issues like Text4shell painless. 

Don’t hesitate to reach out if you need any help or guidance as your teams begin to address this issue.

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.