Extremely Dangerous Log4j Zero-Day Threatens The Internet

Photo of Smartphone Displaying Apache Foundation Software

Details about an extremely severe Zero-Day RCE (Remote Code Execution) software vulnerability exploit affecting the Apache Foundation’s Log4j component were published on December 9th, 2021 by the Apache Software Foundation. The vulnerability was first reported by Alibaba Cloud Security on November 24th, 2021.

It is reported that the vulnerability is being exploited by cybercriminals in the wild. The Guardian reported that this software vulnerability is the “most critical vulnerability of the last decade.” According to SOCRADAR, a similar vulnerability was found to be the cause of the famous 2017 Equifax breach that affected the personal records of over 145 million Americans.

Log4Shell Erupts on the News

The major Zero-Day security issue affecting the Log4j component is being referred to as Log4Shell by security specialists at LunaSec. The vulnerable component is a logging library created by the Apache Software Foundation. The library is highly utilized across several services and apps all over the internet, which is why several news sources, including the NewScientist, deem the bug to be a severe risk “to the entire internet.”

According to Security Boulevard, “this vulnerability allows an attacker to run arbitrary code on the device, giving full control over to the attacker.”

Adam Meyers, senior VP at cybersecurity company CrowdStrike, is also very concerned, stating that “the internet’s on fire right now,” while developers are rushing to fix the issue as “all kinds of people scrambling to exploit it.” Meyers added that the bug was quickly “weaponized” by malicious actors.

Jen Esterly, the director of CISA (US Cybersecurity & Infrastructure Security Agency), agrees that this is a “severe risk” for the internet at large.

Details About the Vulnerability

The software vulnerability, tracked as CVE-2021-44228 on the National Vulnerability Database, is categorized as a critical threat and has received a full base score of 10 out of 10.

It was first noticed affecting the very popular video game Minecraft, “but it quickly became apparent that its impact was far larger,” wrote NewScientist. Attacks have been taking place since December 9th, 2021. Evidence of the severity of the attacks is also manifesting itself in the Quebec government’s shutdown of 3992 government websites.

The in-depth analysis reveals that this is a remote code execution vulnerability with the following features according to Apache Logging Services: “Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.”

When leveraged by cybercriminals, this security flaw allows attackers to run malicious code on any targetted device, allowing them system-level privileges and access. From there, cybercriminals can propagate malware and launch ransomware attacks.

Numerous commercial businesses and organizations already vulnerable

According to LunaSec, “many, many services are vulnerable to this exploit”, such as Apple iCloud, Steam, and even Minecraft. A full list of other impacted organizations that have reached out can be found here. SOCRADAR confirms that other big industry names like Twitter, Tesla, and Amazon are also vulnerable.

Fixes and Mitigations Available

Information has been published on Apache’s Logging Services portal containing fixes and mitigations for the Log4j vulnerability. The severe risks have been mitigated in Log4j version 2.15.0, according to the Apache Foundation. Thankfully, several organizations have already started patching all potential security holes.

LunaSec has added some mitigation steps to determine if Log4Shell has impacted a user. According to LunaSec, the log4j packages “log4j-core” and “log4j-api” (among others) are a threat. “That means it’s primarily Java, but other languages like Scala, Groovy, or Clojure are also impacted” added LunaSec.

More information on LunaSec’s solutions that interest administrators and developers can be found here under section 3, “Determine if you are impacted by Log4Shell.”

CISA recommendation for all organizations

CISA’s December 11th report emphasized that “all organizations” must upgrade to log4j version 2.15.0 “or apply their appropriate vendor recommended mitigations immediately.”

Further “immediate steps” that should be taken according to the CISA report are the following;

  1. Enumerate any external-facing devices that have log4j installed.
  2. Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
  3. Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.
Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.