Researchers warn that a serious vulnerability in the Java logging library allows unauthenticated remote code execution and server access.
Danny Palmer is a senior reporter for ZDNet. He is based in London and writes articles on issues such as network security, hackers and malware threats.
The newly discovered zero-day vulnerability in the widely used Java logging library Apache Log4j is easy to exploit and allows attackers to take complete control of the affected server.
The vulnerability is tracked as CVE-2021-44228 and is classified as a serious vulnerability, allowing unauthenticated remote code execution because the user running the application uses the Java logging library. CERT New Zealand warned that it has been used in the wild.
CISA has urged users and administrators to apply the recommended mitigation measures "immediately" to address critical vulnerabilities.
Systems and services that use the Java log library, Apache Log4j between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java.
See also: Winning Strategies for Cyber Security (ZDNet Special Report)
The vulnerability was originally discovered in Minecraft, but the researchers warned that cloud applications are also vulnerable. It is also used in enterprise applications, and as you learn more about the flaw, you may find that many products are vulnerable.
A blog post by LunaSec researchers warned that anyone using Apache Struts "may be vulnerable."
LunaSec said: “In view of the ubiquity of the library, the impact of exploits (full server control) and the ease of exploitation, the impact of this vulnerability is very serious. We call it “Log4Shell” for short. ”
Organizations can determine whether they are affected by checking the log files of any services that use the affected version of Log4j. If they contain user-controlled strings, CERT-NZ uses "Jndi:ldap" as an example, they may be affected.
In order to mitigate the vulnerability, users should switch log4j2.formatMsgNoLookups to true by adding: "-Dlog4j2.formatMsgNoLookups=True" to the JVM command used to start the application.
To prevent the library from being used, it is urgently recommended to upgrade the Log4j version to log4j-2.15.0-rc1.
Randori’s cybersecurity researchers wrote in a blog post: “If you think you may be affected by CVE-2021-44228, Randori encourages all organizations to adopt a hypothetical violation mentality and review the abnormal activity logs of the affected applications.”
"If an abnormality is found, we encourage you to assume that this is an active incident and you have been threatened and respond accordingly."
Log4j flaws may be a problem for industrial networks "in the next few years"
App Privacy Report for iOS 15.2: How to turn it on, and what it all means
Brazil's Ministry of Health suffered a second cyber attack in less than a week
Cybersecurity agency warns that Log4j vulnerabilities put hundreds of millions of devices at risk
Virginia legislature and committee under ransomware attack
Australia's first data strategy, creating a "one-stop shop" for accessing government data
Security company provides Log4j "vaccine" for systems that cannot be updated immediately
Log4j update: experts say log4shell vulnerabilities will last "months or even years"
Kronos suffers from ransomware attack, warns of data breaches and "weeks" outage
Please review our terms of service to complete your newsletter subscription.
You agree to receive updates, promotions and reminders from ZDNet.com. You can unsubscribe at any time. By joining ZDNet, you agree to our terms of use and privacy policy.
You agree to receive updates, promotions and reminders from ZDNet.com. You can unsubscribe at any time. By signing up, you agree to receive selected newsletters that you can unsubscribe at any time. You also agree to the terms of use and acknowledge the data collection and use practices outlined in our privacy policy.
© 2021 ZDNET, a red venture capital company. all rights reserved. Privacy Policy| Cookie Settings| Advertising| Terms of Use