The Apache Software Foundation has released fixes to contain an actively exploited zero-day vulnerability affecting the widely-used Apache Log4j Java-based logging library that could be weaponized to execute malicious code and allow a complete takeover of vulnerable systems.
Tracked as CVE-2021-44228 and by the monikers Log4Shell or LogJam, the issue concerns a case of unauthenticated, remote code execution (RCE) on any application that uses the open-source utility and affects versions Log4j 2.0-beta9 up to 2.14.1. The bug has scored a perfect 10 on 10 in the CVSS rating system, indicative of the severity of the issue.
“An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled,” the Apache Foundation said in an advisory. “From Log4j 2.15.0, this behavior has been disabled by default.”
Exploitation can be achieved by a single string of text, which can trigger an application to reach out to a malicious external host if it is logged via the vulnerable instance of Log4j, effectively granting the adversary the ability to retrieve a payload from a remote server and execute it locally. The project maintainers credited Chen Zhaojun of Alibaba Cloud Security Team with discovering the issue.
Log4j is used as a logging package in a variety of different popular software by a number of manufacturers, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and video games such as Minecraft. In the case of the latter, attackers have been able to gain RCE on Minecraft Servers by simply pasting a specially crafted message into the chat box
Log4J - huge attack surface
“The Apache Log4j zero-day vulnerability is probably the most critical vulnerability we have seen this year,” said Bharat Jogi, senior manager of vulnerabilities and signatures at Qualys. “Log4j is a ubiquitous library used by millions of Java applications for logging error messages. This vulnerability is trivial to exploit.”
Cybersecurity firms BitDefender, Cisco Talos, Huntress Labs, and Sonatype have all confirmed evidence of mass scanning of affected applications in the wild for vulnerable servers and attacks registered against their honeypot networks following the availability of a proof-of-concept (PoC) exploit. “This is a low skilled attack that is extremely simple to execute,” Sonatype’s Ilkka Turunen said.
GreyNoise, likening the flaw to Shellshock, said it observed malicious activity targeting the vulnerability commencing on December 9, 2021. Web infrastructure company Cloudflare noted that it blocked roughly 20,000 exploit requests per minute around 6:00 p.m. UTC on Friday, with most of the exploitation attempts originating from Canada, the U.S., Netherlands, France, and the U.K.
Given the ease of exploitation and prevalence of Log4j in enterprise IT and DevOps, in-the-wild attacks aimed at susceptible servers are expected to ramp up in the coming days, making it imperative to address the flaw immediately. Israeli cybersecurity firm Cybereason has also released a fix called “Logout4Shell” that closes out the shortcoming by using the vulnerability itself to reconfigure the logger and prevent further exploitation of the attack.
“This Log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string,” Security expert Marcus Hutchins said in a tweet.
This log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string. So far iCloud, Steam, and Minecraft have all been confirmed vulnerable.— Marcus Hutchins (@MalwareTechBlog) December 10, 2021
A more detailed analysis can be found on Reddit, click HERE.
Did you find out?
We have started to offer information security & outsourcing services. Learn more HERE.
Do you have a small business? Get a security assessment for free! Contact Us now for more details.
If you find it interesting, you can read:
- Hack Tutorial #1: Free Hacking Tools for Ethical Hackers
- Hack Tutorial #2: List of HTTP status codes
- Hack Tutorial #3: Recover, Move or Hack WhatsApp account using WhatsDumpExtractor
- Hack Tutorial #4: List of Common Ports in networking
- Hack Tutorial #5: Free Cyber Security Basics Course
- The 15 biggest data breaches of the 21st century
- Security Guide: Keeping Your Business Safe Online and Offline 2021
- Cybersecurity Statistics for 2021
- Step by Step Tutorial – How To Perform A Network Security Vulnerability Assessment
- Vulnerability Management Process: Scanning, Prioritizing, and Remediating