Catastrophic Log4j Security Failure Threatens Enterprise Systems and Web Applications Around the Globe


A severe code execution vulnerability in Log4j warns security experts of potentially catastrophic consequences for businesses and web applications.

The vulnerability, listed as CVE-2021-44228 in the Apache Log4j Security Vulnerabilities log, allows remote attackers to take control of an affected system.

What is Log4j?

Log4j is an open source Apache logging system framework used by developers for keeping records within an application.

This exploit in the popular Java logging library results in remote code execution (RCE). The attacker sends a string of malicious code which, when logged by Log4j, allows the attacker to load Java on the server and take control.

Wired reports that attackers were using Minecraft’s chat feature to exploit the vulnerability on Friday afternoon.

Who is affected by the Log4j security issue?

The problem is so serious that the United States Cybersecurity & Infrastructure Security Agency has issued an advisory December 10 which indicates, in part:

“CISA encourages users and administrators to consult the Apache Log4j Announcement 2.15.0 and upgrade to Log4j 2.15.0 or immediately apply recommended mitigation measures.

Advertising

Continue reading below

The log referenced above classifies the severity of the issue as “Critical” and describes it as:

“Apache Log4j2

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup override is enabled.

Marcus Hutchins from MalwareTech.com warns that iCloud, Steam, and Minecraft have all been confirmed vulnerable:

LunaSec CEO Free Wortley wrote in a December 9 post.RCE Zero-Day‘post on the blog that “Anyone who uses Apache Struts is probably vulnerable. “

He also said, “Considering the ubiquity of this library, the impact of the exploit (full control of the server) and the ease of operation, the impact of this vulnerability is quite severe.”

Advertising

Continue reading below

CERT, the Austrian IT Emergency Response Team, issued a warning Friday who said those affected:

“All versions of Apache log4j from 2.0 up to and including 2.14.1 and all frameworks (eg Apache Struts2, Apache Solr, Apache Druid, Apache Flink, etc.) that use these versions.

According to the security company LunaSec, the JDK versions 6u211, 7u201, 8u191 and 11.0.1 are not affected in the default configuration, as this does not allow loading a remote code base.

However, if the option com.sun.jndi.ldap.object.trustURLCodebaseis trueset to, an attack is still possible.

Rob Joyce, Director of Cyber ​​Security at the NSA, tweeted friday that, “The log4j vulnerability is a significant threat to exploitation due to widespread inclusion in software frameworks, even the NSA’s GHIDRA.”

Recommendations from security experts to fight against Log4j vulnerabilities

Kevin Beaumont warns that even though you upgraded to log4j-2.15.0-rc1, there was a workaround:

Marcus Hutchins from MalwareTech.com offers a workaround for those who cannot upgrade Log4j:

Matthew Prince, co-founder and CEO of Cloudflare, announced Friday:

We made the decision that # Log4J is so bad that we will try to deploy at least one protection for all Cloudflare default customers, even free customers who don’t have our WAF. Work on how to do it safely now.

Chris Wysopal, Co-Founder and CTO at Veracode, recommends upgrading to a minimum of Java 8:

Advertising

Continue reading below

He also warns, “There may be only 5% of applications still on Java 7, but that’s the long tail that will be exploited over the next few months. Do not have one in your organization.

Determining which apps in your organization are using Log4j should be critical.


Featured Image: Shutterstock / solarseven



Comments are closed.