Since discovering the Log4j vulnerability called Log4Shell in December, the impacted tool has been downloaded over ten million times. According to Sonatype, the company which runs Apache Maven’s central repository, four of these ten million downloads are for vulnerable versions of the tool.
The vulnerability was tracked as CVE-2021-44228 and was patched in v2.15 of the library on December 10. However, v2.14 and the rest of the 2.x branch of the utility continues to be vulnerable. Additional vulnerabilities tracked as CVE-2021-45056, CVE-2021-45105, and CVE-2021-44832 were also found following the first one and were fixed in v2.16 of the tool.
The discovery has already caused a lot of chaos in the tech industry, with the CISA launching a webpage to guide the US public and private sectors about the issue and ordering all federal civilian agencies to patch the issue by Christmas eve.
Additionally, the US Federal Trade Commission threatened legal action against American organisations that don’t upgrade to secure versions of Log4j.
Skating on thin ice?
Apache too highlighted the issue on its website. Once the news about the vulnerability was out, many exploitation opportunities came to light. However, actual exploitation seems to be quite visible. In fact, Belgium’s Defence Ministry was successfully attacked using a Log4j exploit.
There could be several reasons behind this, with a lot of them being highlighted in a Twitter thread by Greg Bednarski stating that the attacks have been under-reported for several reasons.
Alibaba’s Cloud Security team, which had initially reported the vulnerability on November 24, was also lashed out by the Chinese Ministry for not having waited long enough between local and international disclosures.