SecurityWeek reports that while cybersecurity experts have compared the critical Apache Commons Text security vulnerability, tracked as CVE-2022-42889, to the Log4Shell flaw, it is not expected to be as widespread as the latter.
The arbitrary code execution flaw, also known as Act4Shell and Text4Shell, has been described by Sophos to be dangerous although it is not as easily exploitable as the Log4j bug. Such a flaw is also expected to be less prevalent as CommonText usage is lower than Log4j, according to security researcher Sean Wright and GitHub Security Lab researcher Alvaro Munoz, who discovered the vulnerability in March.
Meanwhile, Rapid7 researchers cautioned against comparing both flaws.
"The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input," said Rapid7. Organizations have been urged to immediately remediate the flaw, which has already been patched by Apache.
Forty-five malicious NPM and PyPI packages have been deployed by threat actors to facilitate extensive data theft operations as part of a campaign that commenced on Sept. 12, according to BleepingComputer.
Sixty thousand emails from U.S. State Department accounts were noted by a staffer working for Sen. Eric Schmitt, R-Mo., to have been exfiltrated by Chinese threat actors during the widespread compromise of Microsoft email accounts that commenced in May, according to Reuters.