The voice of a security expert is equivalent to five alerts for a key new zero-day vulnerability in Log4j, which is the ubiquitous logging framework in Java software.
This vulnerability (CVE-2021-44228) could allow a remote attacker to run arbitrary code on any application that uses Log4j and has been actively exploited. Some vendors have observed large-scale scanning activities for vulnerable applications (presumably initiated by threat actors), and there have been reports of vulnerability exploitation activities targeted at organizations. Attacks against this flaw require very little skill to execute, and are being driven by wild proof-of-concept code.
"This is the worst-case scenario," warns Casey Ellis, founder and CTO of the crowdsourcing vulnerability disclosure platform Bugcrowd. This is so because of the widespread use of Log4j in software and platforms, the many paths available to exploit the vulnerability, dependencies that are difficult to patch without breaking other things, and the fact that the exploit itself is suitable for tweets, he said .
"For many people, this will be a long weekend," Ellis said.
This defect affects all versions of Log4j, from 2.0-beta9 to 2.14.1. The Apache Foundation has assigned it a maximum severity rating of 10 and has released an updated version of the software (Log4j 2.15.0) to solve this problem. The foundation also released mitigation measures for Log4j 2.10 and later, which organizations can implement to prevent remote code execution through vulnerabilities.
In a blog posted on Friday, Sonatype described the new Log4j flaw as worse than the infamous 2017 remote code execution vulnerability (CVE-2017-5638) in Apache Struts, which is the root cause of Equifax's massive violations. With this flaw, it took less than two days for the attackers to start using organizations around the world.
Sonatype said that the newly disclosed vulnerabilities may have a more far-reaching impact than the Struts vulnerabilities, because Log4j is used much more widely.
"This impact is comparable to the previous Struts vulnerability, such as the vulnerability affecting Equifax, because the attack can be carried out remotely and anonymously, without login credentials, and leads to remote attacks," Sonatype Chief Technology Officer Brian Fox wrote in an email Said in the email statement. "The combination of scope and potential impact here is different from any previous component vulnerability that I can easily recall."
Even the GHIDRA reverse engineering tool of the US National Security Agency is not immune from threats. In a tweet shared on Friday, the Director of the National Security Agency's Cyber Security Agency stated that the Log4j vulnerability poses a major threat to vulnerability exploitation because it is widely included in software frameworks including GHIDRA.
"This is a case study of why the software bill of materials (SBOM) concept is so important for understanding exposure," wrote Rob Joyce, director of cybersecurity at the National Security Agency.
The Apache Foundation stated that the vulnerability is related to certain features in the Java Naming and Directory Interface (JNDI) (used for configuration, log messages, and parameters) to prevent attackers from controlling LDAP servers and other endpoints. Therefore, when specific message lookup behavior is enabled, an attacker who can control log messages or log message parameters can execute malicious code loaded from the LDAP server. By default, newer versions of Log4j have disabled this behavior.
Chris Morgan, a threat intelligence analyst at Digital Shadows, said the risk of this vulnerability is very high.
"At a high level, this vulnerability allows an attacker to provide a malicious payload [and] use the payload to trigger the vulnerability, and then inject the second stage of the attack to execute arbitrary code," he said.
Given the size of the affected device and the exploitability of the vulnerability, it is very likely to attract great attention from cybercriminals and participants related to the nation-state.
"It is recommended that organizations update to version 2.15.0 and be more vigilant about logs related to vulnerable applications," Morgan said.
Arshan Dabirsiaghi, co-founder and chief scientist of Contrast Security, said that the newly disclosed issue in Log4j is the biggest Java vulnerability in years. The organization must evaluate the potential impact of the defect on its environment and consider how to mitigate the threat. He believes that the vulnerability is easy to exploit, especially because the video and proof-of-concept code are already publicly available.
For organizations, the vulnerability is easy to mitigate one application at a time, but it is much more difficult to execute on a large scale.
"The company needs to see in real time the dependencies actually used by its application portfolio," said Dabirsiaghi. "This allows them to do two things: alert specific developers who use the library in question, and measure their progress to prevent it from being removed from the organization."
Copyright © 2021 Informa PLC Informa UK Limited is a company registered in England and Wales with the company number 1072954 and the registered office address is 5 Howick Place, London, SW1P 1WG.