An unauthenticated, remote control execution vulnerability allowing complete system takeovers was found in Log42j, developed by the Apache Foundation and used by several enterprise and cloud-based applications.
The vulnerability is now being tracked as CVE-2021-44228 and dubbed Log4Shell or LogJam. Alibaba Cloud’s security team first reported the bug to Apache on November 24. however, the first proof-of-concept exploit was published on Github on December 9, and threat actors have been actively scanning the internet for vulnerable targets since.
Since enterprise apps and cloud services widely use the library, apps and online services from companies like Apple, Amazon and Steam are likely vulnerable to exploits targeting the bug. The vulnerability also affects default configurations of multiple Apache frameworks, including but not limited to Apache Struts2, Apache Solr, Apache Druid and Apache Flink.
In the News: Meta’s VR social platform is now open for all
Enterprise havoc and home nightmare alike?
The exploit was initially detected on sites hosting Minecraft servers where attackers could trigger the vulnerability by simply posting chat messages. Since the POC’s release on Github, threat actors have been actively exploiting the vulnerability. Security analysis company GreyNoise tweeted that they’re experiencing a sharp rise in IPs trying to exploit the same on their servers.
Essentially, all an attacker needs to do is cause the application they’re targeting to save a particular string of characters in its log from triggering the vulnerability. Since just about every program logs its actions in some way, shape or form, it makes this vulnerability extremely easy to exploit and can be triggered in several ways.
In fact, theoretically, the exploit can be even be carried out by hiding this special string in a QR code which can then be scanned by a company, hence getting into their system without ever making contact over the internet.
Actions as simple as changing your iPhone’s name can trigger this vulnerability on Apple servers. Apache has released a patched version of the library — Log4j 2.15.0 to address the bug and provide permanent mitigation.
The vulnerability can be fixed for developers using previous releases by setting the log4j2.formatMsgNoLookups system property to true. Alternatively, developers can also entirely remove the JndiLookup class from the classpath.
According to cybersecurity company Lunasec, cloud services like Steam, Apple’s iCloud and apps like Minecraft have already been found vulnerable. They’ve also provided steps for temporary mitigation and on how to identify if your server is vulnerable.
The CISA has also issued an update regarding the vulnerability asking developers to upgrade the library or deploy temporary mitigations.
In the News: Android Games are coming to Windows in 2022