Log4j zero-day gets security fix just as scans for vulnerable systems ramp up
The Apache Software Foundation has released an emergency security update today to patch a zero-day vulnerability in Log4j, a Java library that provides logging capabilities.
The patch—part of the 2.15.0 release—fixes a remote code execution vulnerability (CVE-2021-44228) disclosed yesterday on Twitter, complete with proof-of-concept code.
The vulnerability, also nicknamed Log4Shell, can be exploited by forcing Java-based apps and servers, where the Log4j library was used, to log a specific string into their internal systems.
When the app or server processes the logs, this string can force the vulnerable system to download and run a malicious script from an attacker-controlled domain, effectively taking over the vulnerable application/server, according to a technical breakdown published yesterday by security firm LunaSec.
With a score of 10/10 on the CVSSv3 severity scale, Log4Shell is as bad as it gets in terms of security flaws, being both remotely exploitable and requiring little technical skill to execute.
Discovered during a bug bounty engagement against Minecraft servers, the vulnerability is far more impactful than some might expect, primarily because of Log4j's near-ubiquitous presence in almost all major Java-based enterprise apps and servers.
For example, Log4j is included with almost all the enterprise products released by the Apache Software Foundation, such as Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, Apache Kafka, Apache Dubbo, and possibly many more.
In addition, other open-source projects like Redis, ElasticSearch, Elastic Logstash, the NSA's Ghidra, and others also use it in some capacity or other.
Naturally, all the companies that use any of these products are also indirectly vulnerable to the Log4Shell exploit, even if some of them may be aware of it or not.
According to some research published yesterday, companies with servers confirmed to be vulnerable to Log4Shell attacks include the likes of Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, DIDI, JD, NetEase, and possibly thousands more.
Attacks can be blocked with a config change
According to p0rz9, the Chinese security researcher who first posted the exploit code online, CVE-2021-44228 can only be abused if the log4j2.formatMsgNoLookups option in the library's configuration is set to false.
In a conversation today, Heige, the founder and CEO of Chinese security firm KnownSec 404 Team and one of the first researchers to understand the vulnerability's impact, told The Record that today's Log4j 2.15.0 release basically sets this option to true in order to block attacks.
Log4j users who update to the 2.15.0 version but then set this flag back to false will remain vulnerable to attacks. Similarly, Log4j users who can't update but set the flag to true can block attacks even on older versions.
Unfortunately, this option is set to false by default in old releases, meaning that all past Log4j releases since 2.10.0, when this option was added, are vulnerable by default.
According to reports from security firms Bad Packets and Greynoise, multiple threat actors are already scanning for apps that may be vulnerable to the Log4Shell attack, meaning that server owners will most likely have a very small patch window at their disposal before servers start getting backdoored if they haven't been already.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.