Log4J’s critical vulnerability puts much of the internet at risk
The Apache Software Foundation has released patches to contain an actively exploited zero-day vulnerability affecting the widely used Apache Log4j Java logging library that could be militarized to execute malicious code and allow a full takeover of vulnerable systems.
Traced as CVE-2021-44228 and by the nicknames Log4Shell or LogJam, the issue is an unauthenticated remote code execution (RCE) case on any application that uses the open-source utility and affects versions Log4j 2.0-beta9 up to 2.14. 1. The bug received a perfect score of 10 out of 10 on the CVSS rating system, indicating the seriousness of the problem.
“An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message search override is enabled “, the Apache Foundation notedin a notice. “As of Log4j 2.15.0, this behavior has been disabled by default.”
Exploitation can be accomplished by a single text string, which can trigger an application to reach a malicious external host if connected through the vulnerable instance of Log4j, effectively giving the adversary the ability to reclaim a payload. useful from a remote server and run it locally. Project officials credited Chen Zhaojun from Alibaba’s cloud security team with discovering the problem.
Log4j is used as a logging package in a variety of different popular software by a number of manufacturers including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and video games such as Minecraft. In the latter’s case, attackers were able to obtain an RCE on Minecraft servers by simply pasting a specially crafted message into the chat box.
A huge attack surface
“The Apache Log4j zero-day vulnerability is possibly the most critical vulnerability we’ve seen this year,” said Bharat Jogi, senior manager of vulnerabilities and signatures at Qualys. “Log4j is a ubiquitous library used by millions of Java applications for logging error messages. This vulnerability is trivial to exploit.”
Cyber security firms BitDefender, Cisco Talos, Huntress Labs, and Sonatype have all confirmed evidence of a massive scan of affected applications in the wild looking for vulnerable servers and recorded attacks on their honeypot networks following the outbreak. availability of a proof of concept (PoC) exploit. “This is an unskilled attack which is extremely easy to execute,” said Ilkka Turunen of Sonatype.
GreyNoise, comparing the flaw to Shellshock, said it observed malicious activity targeting the vulnerability from December 9, 2021. Web infrastructure company Cloudflare noted that it was blocking around 20,000 exploit requests per minute around 6:00 p.m. UTC. Friday, with most attempted exploitation coming from Canada, the United States, the Netherlands, France and the United Kingdom