Apache has patched the vulnerability in its Log4j 2 library, but attackers are searching for unprotected servers on which they can remotely execute malicious code.
A serious security vulnerability in a popular product from Apache has opened the floodgates for cybercriminals to try to attack susceptible servers. On Thursday, a flaw was revealed in Apache's Log4j 2, a utility used by millions of people to log requests for Java applications. Named Log4Shell, the vulnerability could allow attackers to take control of affected servers, a situation that has already prompted hackers to scan for unpatched systems on which they can remotely run malicious code.
SEE: Patch management policy (TechRepublic Premium)
The problem has quickly triggered concerns for a host of reasons. The Log4j library is widely used around the world, so a huge number of Java applications and associated systems are at risk. The flaw is easy enough to exploit as an attacker need only insert a single line of Java code to the log.
CERT New Zealand and other organizations have reported that the vulnerability is being exploited in the wild and that proof-of-concept code has been published as evidence of the security weakness.
The National Institute of Standards and Technology (NIST) has given this vulnerability, known as CVE-2021-44228, a severity score of 10 out of 10. As the highest score, this indicates the serious nature of the flaw as it requires little technical knowledge to exploit and can compromise a system without any knowledge or input from the user.
"The sheer danger of this is that the 'log4j' package is so ubiquitous — it is used with Apache software like Apache Struts, Solr, Druid, along with other technologies [such as] ElasticSearch and even video games like Minecraft," said John Hammond, senior security researcher at Huntress. "Different websites of manufacturers and providers have been found to be affected: Apple, Twitter, Steam, Tesla and more. Ultimately, millions of applications use log4js for logging. All a bad actor needs to supply to trigger an attack is a single line of text."
Apache has already patched the Log4Shell exploit. Anyone who uses the log4j library is urged to immediately upgrade to version Log4j 2.15.0. However, hackers know that organizations are often slow to patch even critical security flaws, which is why attackers are frantically hunting for unpatched systems. Other vendors, including Oracle, Cisco and VMware, have issued patches to secure their own products.
For those who can't upgrade quickly enough, security firm Cybereason has released what it calls a "vaccine" for the Log4Shell flaw, which prevents the bug from being exploited. Freely available on GitHub, the fix requires just basic Java skills to activate, according to the company. But ultimately, installing the patched version of Log4j is still the most effective means of protecting your systems.
You can also identify if any of your remote endpoints and servers are susceptible to the flaw in the first place, as described in a blog post from security provider LunaSec. The firm suggests running a DNS query to force a server to fetch remote code to tell you if the vulnerability is triggered. Of further help, a list accessible on GitHub provides additional resources and reveals some of the many applications vulnerable to this flaw.
SEE: NIST Cybersecurity Framework: A cheat sheet for professionals (free PDF) (TechRepublic)
Even with the patch, this is shaping up to be a serious security problem expected to affect organizations and users for the foreseeable future.
"This will likely be an endemic problem that will continue for the near term as security and infrastructure teams race to find and patch vulnerable machines over the coming weeks and months," said Sean Nikkel, senior cyber threat intel analyst at Digital Shadows. "Security teams likewise should expect to see an increase in adversary scans which look for vulnerable infrastructure across the internet, as well as exploit attempts over the coming days."
Beyond installing the latest patched version of Log4j, there are other steps organizations should take, both with this latest security flaw and with Java vulnerabilities in general.
"Make no mistake, this is the largest Java vulnerability we have seen in years," said Arshan Dabirsiaghi, co-founder and chief scientist at Contrast Security. "It's absolutely brutal. There are three main questions that teams should answer now — where does this impact me, how can I mitigate the impact right now to prevent exploitation, and how can I locate this and similar issues to prevent future exploitation?"