A zero-day exploit for Log4j Java library could have a tsunami impact on IT giants

Log4j Log4j

critical zero-day vulnerability in the Apache Log4j Java-based logging library.

Experts publicly disclose Proof-of-concept exploits for a critical remote code execution zero-day vulnerability, tracked a CVE-2021-44228 (aka Log4Shell), in the Apache Log4j Java-based logging library.

Apache Log4j2 jndi RCE#apache #rcehttps://t.co/ZDmc7S9WW7 pic.twitter.com/CdSlSCytaD— p0rz9 (@P0rZ9) December 9, 2021The Chinese security researcher p0rz9 who publicly disclosed the PoC exploit code revealed that the CVE-2021-44228 can only exploited if the log4j2.formatMsgNoLookups option is set to false.

Log4j widely used

The Log4j is widely used by both enterprise apps and cloud services, including Apple iCloud and Steam.

A remote, unauthenticated attacker can exploit the CVE-2021-44228 to execute arbitrary code on a vulnerable system leading to complete system takeover.

The vulnerability was discovered by researchers from the Alibaba Cloud’s security team that notified the Apache Fondation on November 24. According to the experts, the vulnerability is easy to exploit and does not require special configuration, for this reason it received a CVSSv3 score of 10/10. Researchers pointed out that Apache Struts2, Apache Solr, Apache Druid, Apache Flink are all affected by this vulnerability.

Log4j is populair in Open Source

Open-source projects like ElasticSearch, Elastic Logstash, Redis, and the NSA’s Ghidra also use the library.

IT giants like Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, and NetEase are running servers potentially affected by the issue.

“An attacker can use this vulnerability to construct a special data request packet, which eventually triggers remote code execution. Due to the wide range of impact of this vulnerability, users are advised to investigate related vulnerabilities in a timely manner.” reads the post published by the Alibaba Coud security team. “After analysis and confirmation by the White Hat Security Research Institute, there are currently many popular systems on the market that are affected. Almost very tech giants is the victim of this Log4j Remote Code Execution vulnerability.”

Researchers from Bad Packets are already observing mass scanning activity for this vulnerability.

Mass scanning activity detected from multiple hosts checking for servers using Apache Log4j (Java logging library) vulnerable to remote code execution (https://t.co/GgksMUlf94).Query our API for “tags=CVE-2021-44228” for source IP addresses and other IOCs. #threatintel— Bad Packets (@bad_packets) December 10, 2021Lunasec, who tracked this vulnerability as LogJam, confirmed the wide impact of this issue.

“Many, many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable. Anybody using Apache Struts is likely vulnerable. We’ve seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach. Many Open Source projects like the Minecraft server, Paper, have already begun patching their usage of log4j” reported Lunasec.

Apache addressed the issue with the release of a Log4j release candidate version (2.15.0-rc1), but security researchers already discovered a bypass and urge impacted organizations to updating to the latest RC build log4j-2.15.0-rc2.

Our team at Hackademicus is really concerned on this Exploit

The post A zero-day exploit for Log4j Java library could have a tsunami impact on IT giants appeared first on Security Affairs.