Security experts have warned of potentially catastrophic consequences for enterprises and web apps due to a severe vulnerability in Log4j’s code execution.
Security experts have warned of potentially catastrophic consequences for enterprises and web apps due to a severe vulnerability in Log4j’s code execution.CVE-20241-44228, also known as CVE-20211-44228, is a vulnerability that allows remote attackers access to a system.
Log4j, an open-source Apache log system framework, is used by developers to maintain records within an application.
Remote Code Execution is possible because of an exploit in Java logging library. When Log4j logs the attack, the attacker sends a malicious message string to load Java onto the server and then takes control.
Wired reports attackers used Minecraft’s chat function to exploit Friday afternoon’s vulnerability.
This problem is so severe that the United States Cybersecurity & Infrastructure Security Agency issued a notice December 10, which states, in part:
“CISA encourages users, administrators to review Apache Log4j.2.15.0 Announcement. Upgrade to Log4j.2.15.0 immediately or apply recommended mitigations.”
The log above describes the severity and description of the issue as “Critical” in the following:
“Apache log4j2 =2.14.1 JNDI feature used in configuration, messages, and parameters does not protect against attacker-controlled LDAP and other JNDI endpoints.
An attacker who can manage log messages or parameters can execute arbitrary codes loaded from LDAP server when message lookup substitution is disabled.”
Marcus Hutchins of MalwareTech.com warns about vulnerabilities in iCloud, Steam, and Minecraft
lunatic CEO Free Wortley wrote Dec 9’Zero Day’ blog post: “Anyone using Apache Struts is likely to be vulnerable.”
He said that “Given how widespread this library is, and the impact of an exploit (full-server control), and how easy to exploit it, the vulnerability’s impact is quite serious.”
Friday, the Austrian Computer Emergency Response Team published a warning that stated:
“All Apache log4j Versions from 2.0 to and including the 2.14.1 version and all Frameworks (e.g., Apache Struts2, Apache Solr, Apache Druid, Apache Flink, etc.) These versions are recommended.
Lunatic Security claims that the default configuration will not affect JDK versions 6.211, 7.201, 8.191, and 11.0.1. This is because it does not allow remote codebases loading.
However, if the option com.sun.jndi.ldap.object.trustURLCodebaseis trueset to, an attack is still possible.”
Rob Joyce is Director of Cybersecurity for the NSA. He tweeted Friday, “The log4j security is a significant risk for exploitation because of the widespread inclusion in software frames, even NSA GHIDRA.”
Kevin Beaumont warns against upgrading to log4j-2.15-rc1 – there’s a way around.
Increase the quality of your content with keyword intent analysis
Semrush’s keyword-intent metric makes it easier than ever to align your keywords with the correct audience and create the right content.
Marcus Hutchins of MalwareTech.com provides a workaround for people who cannot upgrade Log4j.
Matthew Prince, co-founder, and CEO of Cloudflare, announced Friday
“We’ve determined that #Log4J’s severity is so severe we’re going try to roll out at least some protection for all Cloudflare users by default, even customers who are not eligible for our WAF.” “We are working to make that occured safely.
Chris Wysopal (co-founder and CTO of Veracode) recommends upgrading to Java 8 at a minimum.
He also warned, “There might only be 5% apps still running Java 7, but that is the long-tail that will be exploited the next few months.” Do not have one of these apps in your org.
You must determine which Log4j applications are used in your organization.