Attackers are already scanning the Web for applications that could be vulnerable to Log4Shell attacks.
The Apache Software Foundation has released an emergency security update that fixes a remote code execution vulnerability ( CVE-2021-44228 ) in the Java Log4j library. The library provides logging capabilities.
The vulnerability, dubbed Log4Shell, can be exploited by forcing Java-based applications and servers with the Log4j library to register a specific string on their internal systems. When an application or server processes the logs, this line can cause the vulnerable system to load and run the malicious scripts from the attacker’s controlled domain. Thus, hackers can take control of the application or server.
The Log4Shell vulnerability scored a maximum of 10 on the CVSSv3 scale because it can be exploited remotely and does not require any special technical skills to execute the code. A critical hazard stems from the ubiquitous presence of Log4j in nearly all major enterprise Java-based applications and servers. For example, Log4j is included in almost all enterprise products released by the Apache Software Foundation such as Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, Apache Kafka, Apache Dubbo, etc. Other open-source projects ( Redis, ElasticSearch, Elastic Logstash, NSA’s Ghidra) also use the library to some extent.
According to experts from LunaSec, the servers of Apple, Amazon, Twitter, Steam, Tencent, Baidu, DIDI, JD, NetEase and possibly thousands of other companies are affected by this vulnerability.
According to a Chinese cybersecurity researcher using the p0rz9 alias, CVE-2021-44228 can only be exploited if the log4j2.formatMsgNoLookups parameter is set to false in the library configuration. In the revised version of Log4j 2.15.0, this parameter is set to true, preventing attacks. Log4j users who have upgraded to version 2.15.0 but then set this flag to false will remain vulnerable to attacks. Likewise, users of the older version of Log4j with the flag set to true can block attacks.
According to information security experts, cybercriminals are already scanning the Network for applications that may be vulnerable to Log4Shell attacks.
Catch up on more articles here
Follow us on Twitter here