By Staff Writer
Cybersecurity agencies are scrambling to respond to a critical vulnerability in the Apache Log4j library. Apache Log4j is popular with Java Developers who use the library to log errors. Elevating the risk is its widespread use and the ease of exploiting the vulnerability.
The vulnerability, CVE-2021-44228, also named Log4Shell or LogJam, has a CVSS severity level of 10 out of 10. The vulnerability allows hackers to execute arbitrary code and potentially take full control of a system.
On Friday morning (US time), an exploit was publicly released for the critical zero-day vulnerability. Reports indicate hackers need the application to write just one string to the log. From there, hackers can remotely upload their own code to the application via the message lookup substitution function.
Millions of servers are reportedly at risk, including those used by high-profile companies, including Apple, Cloudflare, Twitter, Valve, Tencent, iCloud, Steam, and Minecraft.
“CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library,” says the Cybersecurity and Infrastructure Security Agency (CISA).
“This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use.”
The Log4j library is part of the Apache Software Foundation’s Apache Logging Services project. The project creates and maintains open-source software handling the logging of application behaviour. The software is released at no charge.
The Logging Services project provides cross-language logging services for debugging and auditing purposes. The log4net library is a tool to help the programmer output log statements to various output targets.
Log4j is extremely popular across Java applications. This popularity heightens the risk posed by the vulnerability.
“To be clear, this vulnerability poses a severe risk,” says CISA. “We have added this vulnerability to our catalogue of known exploited vulnerabilities, which compels federal civilian agencies, and signals to non-federal partners to urgently patch or remediate this vulnerability.”
Cybersecurity agencies worldwide are reporting hackers are looking for servers vulnerable to Log4Shell attacks. Working proof of concepts for the vulnerability are available online, including GitHub.
Hackers who developed the Kinsing backdoor and crypto mining botnet are reportedly exploiting the Log4j vulnerability.
Mirai and Muhstik malware is also being installed on vulnerable devices. The malware can deploy crypto miners and potentially perform large-scale DDoS attacks.
Almost all versions of Log4j are vulnerable, starting from 2.0-beta9 to 2.14.1. However, downloading and installing the most recent version of the library, 2.15.0, resolves the vulnerability issue. Apache also has mitigation strategies available if a software update isn’t possible.
The Australian Cyber Security Centre says affected organisations should apply the available patch or update to 2.15.0 immediately.
“Due to widespread use in popular frameworks, a large number of third-party apps may also be vulnerable to exploits,” the agency adds.