Apache has released Log4j version 2.15.0 to address the critical RCE vulnerability and users are urged to apply the update immediately.
The Apache Foundation’s Log4j is a widely used open-source tool by enterprise apps and cloud services. The bad news is that a security vulnerability has been identified in this tool, reported by Alibaba Cloud Security Team’s Chen Zhaojun on November 24. The vulnerability is dubbed Log4Shell or LogJam by Lunasec and tracked as CVE-2021-44228.
About the vulnerability
Log4Shell is an unauthenticated RCE vulnerability that allows an attacker to gain full system takeover on devices running Log4j 2.0-beta9 up to 2.14.1. The vulnerability impacts the default configuration of numerous Apache frameworks, including Apache Druid, Apache Solr, Apache Struts2, Apache Flink, etc.
The vulnerability, according to researchers, threatens anyone using the open-source Apache Struts framework and can also cause a Mini Internet Meltdown Soonish, according to British security expert Kevin Beaumont.
The bug was given a 10/10 score in the CVSS rating system, which indicates the issue’s severity. In its security advisory, the Apache Foundation stated that an attacker who can control log message parameters or log messages can efficiently execute arbitrary code loaded from “LDAP servers when message lookup substitution is enabled.”
“From Log4j 2.15.0, this behavior has been disabled by default,” the advisory read.
An attacker can exploit the bug by a single test string, triggering the application to access a malicious external host if logged through the vulnerable Log4j. The adversary retrieves a payload from a remote server and locally executes it.
We have already seen two botnets using #log4j2 now, stay tuned for more details
— 360 Netlab (@360Netlab) December 11, 2021
PoC’s Being Distributed Online
As soon as the first PoC (proof of concept) exploit was published on GitHub, hackers started searching for systems vulnerable to the Log4Shell security flaw that doesn’t need authentication. PoCs for the zero-day for the ubiquitous Apache Log4j Java-based logging library are currently being shared online, making enterprise and home users vulnerable to remote code execution attacks.
Many users might be vulnerable since most popular games, web apps, and enterprise software, including Apple, Cloudflare, Amazon, Twitter, and Steam products, are vulnerable to RCE exploits targeting this bug. Security expert Marcus Hutchins confirmed the severity of the issue in a tweet that read:
“This Log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string.”
Upgrade Immediately- US-CERT Warns
A security advisory was released by the Apache Software Foundation to address the RCE vulnerability affecting the Log4j versions 2.0-beta9 to 2.14.1. US CISA urges users and administrators to analyze the Apache Log4j 2.15.0 Announcement and immediately upgrade to Log4j 2.15.0.
“Upgrade ASAP to protect yourself from the #RCE vulnerability, CVE-2021-44228, affecting Apache Log4j,” US-CERT posted on Twitter.
Furthermore, CERT (Computer Emergency Response Team) New Zealand has also issued a security advisory to warn users of the active exploitation of the Apache Log4j tool in the wild.