It is reported that the vulnerability is being exploited by cybercriminals in the wild. The Guardian reported that this software vulnerability is the “most critical vulnerability of the last decade.” According to SOCRADAR, a similar vulnerability was found to be the cause of the famous 2017 Equifax breach that affected the personal records of over 145 million Americans.
Log4Shell Erupts on the News
The major Zero-Day security issue affecting the Log4j component is being referred to as Log4Shell by security specialists at LunaSec. The vulnerable component is a logging library created by the Apache Software Foundation. The library is highly utilized across several services and apps all over the internet, which is why several news sources, including the NewScientist, deem the bug to be a severe risk “to the entire internet.” According to Security Boulevard, “this vulnerability allows an attacker to run arbitrary code on the device, giving full control over to the attacker.” Adam Meyers, senior VP at cybersecurity company CrowdStrike, is also very concerned, stating that “the internet’s on fire right now,” while developers are rushing to fix the issue as “all kinds of people scrambling to exploit it.” Meyers added that the bug was quickly “weaponized” by malicious actors. Jen Esterly, the director of CISA (US Cybersecurity & Infrastructure Security Agency), agrees that this is a “severe risk” for the internet at large.
Details About the Vulnerability
The software vulnerability, tracked as CVE-2021-44228 on the National Vulnerability Database, is categorized as a critical threat and has received a full base score of 10 out of 10. It was first noticed affecting the very popular video game Minecraft, “but it quickly became apparent that its impact was far larger,” wrote NewScientist. Attacks have been taking place since December 9th, 2021. Evidence of the severity of the attacks is also manifesting itself in the Quebec government’s shutdown of 3992 government websites. The in-depth analysis reveals that this is a remote code execution vulnerability with the following features according to Apache Logging Services: “Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.” When leveraged by cybercriminals, this security flaw allows attackers to run malicious code on any targetted device, allowing them system-level privileges and access. From there, cybercriminals can propagate malware and launch ransomware attacks.
Numerous commercial businesses and organizations already vulnerable
Fixes and Mitigations Available
Information has been published on Apache’s Logging Services portal containing fixes and mitigations for the Log4j vulnerability. The severe risks have been mitigated in Log4j version 2.15.0, according to the Apache Foundation. Thankfully, several organizations have already started patching all potential security holes. LunaSec has added some mitigation steps to determine if Log4Shell has impacted a user. According to LunaSec, the log4j packages “log4j-core” and “log4j-api” (among others) are a threat. “That means it’s primarily Java, but other languages like Scala, Groovy, or Clojure are also impacted” added LunaSec. More information on LunaSec’s solutions that interest administrators and developers can be found here under section 3, “Determine if you are impacted by Log4Shell.”
CISA recommendation for all organizations
CISA’s December 11th report emphasized that “all organizations” must upgrade to log4j version 2.15.0 “or apply their appropriate vendor recommended mitigations immediately.” Further “immediate steps” that should be taken according to the CISA report are the following;