A recently discovered vulnerability in the Apache Log4j Java-based logging library is widely considered to be one of the most dangerous vulnerabilities ever to be discovered, and it is being actively exploited in the wild. The flaw is easy to exploit, can be exploited remotely without authentication, and can allow remote code execution allowing a full server takeover. A proof-of-concept (PoC) exploit for the flaw is in the public domain and is being used in real world attacks. To make matters worse, Log4j is extensively used in enterprise software and cloud-based apps, so businesses and consumers are at risk.
The vulnerability (CVE-2021-44228) has been dubbed Log4Shell and LogJam, and was discovered by Alibaba Cloud’s security team, which notified Apache about the flaw on November 24. The vulnerability affects the default configurations of several Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and has been assigned a CVSS severity score of 10 out of 10. Security researchers have detected multiple searches for vulnerable systems since the first PoC exploit for the bug was published on GitHub on December 9, and there have been several cases of the vulnerability being exploited in the wild.
A patch has been released to fix the vulnerability and immediate patching is strongly recommended. The flaw is fixed in Log4j 2.15.0, although if for any reason the patch cannot be applied immediately, it is possible to mitigate against the vulnerability in Log4j 2.10 and later versions. Mitigations include:
- Set the system property log4j2.formatMsgNoLookups to true; or,
- Remove the JndiLookup class from the classpath
On Friday, Cyberreason released a “vaccine” package called Logout4Shell which can be used to exploit and fix the vulnerability. While it is best to patch the vulnerability by updating to Log4j 2.15.0, Cyberreason’s Logout4Shell will guide users through disabling the trustURLCodebase setting in a remote Log4j server to mitigate the vulnerability.
The vulnerability will appeal to a wide range of threat actors who can exploit it to steal sensitive data, sabotage systems, install malware, or conduct ransomware attacks. The vulnerability is in the same class as Heartbleed and Shellshock, although many believe it is far more serious. Amit Yoran, CEO of Tenable, said Log4Shell is “the single biggest, most critical vulnerability of the last decade.”
Anyone using Apache Struts is likely to be vulnerable and millions of applications use Log4j for logging. The vulnerability is trivial to exploit, requiring just a single text string to cause an application to reach out to an external location if it’s logged via the vulnerable instance of Log4j, which could serve Java code, allowing a threat actor to run any code on the target’s system.
In addition to affecting a huge number of cloud services, including Apple iCloud, Amazon, and Twitter, the Steam gaming platform is affected and Minecraft. Even the NSA’s GHIDRA suite of reverse-engineering tools are affected. “The Log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA’s GHIDRA,” said Rob Joyce, NSA Director of Cybersecurity. “This is a case study in why the software bill of material (SBOM) concepts are so important to understand exposure.” It is likely to take weeks before the full extent of vulnerable systems is known.