Log4Shell, a zero-day exploit in the popular Java logging library log4j2 has made cloud services such as Steam and Apple iCloud vulnerable, as well as apps like Minecraft.
In a blog post, researchers from LunaSec, said anyone using Apache Struts was also vulnerable, adding that similar vulnerabilities were exploited before in attacks like the Equifax breach in 2017.
The researchers said the exploit results in a remote code execution (RCE) by logging on a certain string. Given the popularity of the library, the researchers said the impact of the vulnerability (CVE-2021-44228) is "quite severe."
Log4j2 has become the most popular logging framework in the Java ecosystem and gets used by millions of applications, said Arshan Dabirsiaghi, co-founder and chief scientist at Contrast Security. Dabirsiaghi said this zero-day exploit impacts any application using Log4j2 and lets attackers run malicious code and commands on other systems.
“Make no mistake, this is the largest Java vulnerability we have seen in years,” he said. “It’s absolutely brutal. Any cloud application written in Java with this popular logging library is impacted.”
Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, explained that a workaround has been released to address the vulnerability, which comes as part of Log4j2 version 2.15.0. Morgan said this reportedly changes a system setting from "false" to "true" by default. Users who change the setting back to "false" remain vulnerable to attack, and as a result, Morgan highly recommends that security teams don’t return this to its previous setting.
“Given the scale of affected devices and exploitability of the bug, it’s highly likely to attract considerable attention from both cybercriminals and nation-state-associated actors,” Morgan said. “Organizations are advised to update to version 2.15.0 and place additional vigilance on logs associated with susceptible applications.”
Saryu Nayyar, CEO at Gurucul, added that RCEs are every SOC’s nightmare. Nayyar said the ability for an attacker to download a malicious payload on a network, often raising privileges, and execute that code to steal data or cause other harm keeps most security professionals up at night.
“Today, we have a zero-day vulnerability in the log4j2 logging library that provides just such a problem,” Nayyar said. “APIs are becoming a huge problem in cybersecurity, and this vulnerability only requires a string in the command to exploit. And this highly used library is likely in millions of applications. Most immediately, development teams need to stop using its logging functionality. In the longer term, SOC analysts should examine their applications with a view toward uncovering any exploits that have already occurred.”
.
