The Apache Software Foundation has released fixes to contain an <<https://twitter.com/DTCERT/status/1469258597930614787>> <<https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/>> zero-day vulnerability affecting the widely-used Apache Log4j Java-based logging library that could be weaponized to execute malicious code and allow a complete takeover of vulnerable systems.
Tracked as <<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>> and by the monikers Log4Shell or LogJam, the issue concerns a case of unauthenticated, remote code execution (RCE) on any application that uses the open-source utility and affects versions Log4j 2.0-beta9 up to 2.14.1. The bug has scored a perfect 10 on 10 in the CVSS rating system, indicative of the severity of the issue.
“An attacker who can control log messages or log message parameters can execute arbitrary code loaded from <<https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol>> servers when message lookup substitution is enabled,” the Apache Foundation <<https://logging.apache.org/log4j/2.x/security.html>> in an advisory. “From Log4j 2.15.0, this behavior has been disabled by default.” https://d-6819001142021782409.ampproject.net/2111242025001/frame.html
Exploitation can be achieved by a single string of text, which can trigger an application to reach out to a malicious external host if it is logged via the vulnerable instance of Log4j, effectively granting the adversary the ability to retrieve a payload from a remote server and execute it locally. The project maintainers credited Chen Zhaojun of Alibaba Cloud Security Team with discovering the issue.
Log4j is used as a logging package in a variety of different <<https://github.com/YfryTchsGD/Log4jAttackSurface>> by a <<https://www.lunasec.io/docs/blog/log4j-zero-day/>>, including Amazon, Apple iCloud, <<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd>>,<< https://blog.cloudflare.com/how-cloudflare-security-responded-to-log4j2-vulnerability/>>, ElasticSearch, <<https://access.redhat.com/security/vulnerabilities/RHSB-2021-009>>, Steam, Tesla, Twitter, and video games such as <<https://twitter.com/Minecraft/status/1469303202864582658>>. In the case of the latter, attackers have been able to <<https://twitter.com/MalwareTechBlog/status/1469290238702874625>> by simply pasting a specially crafted message into the chat box.
A huge attack surface
“The Apache Log4j zero-day vulnerability is probably the most critical vulnerability we have seen this year,” said Bharat Jogi, senior manager of vulnerabilities and signatures at Qualys. “Log4j is a ubiquitous library used by millions of Java applications for logging error messages. This vulnerability is trivial to exploit.”
Cybersecurity firms <<https://www.bitdefender.com/blog/labs/bitdefender-honeypots-signal-active-log4shell-0-day-attacks-underway-patch-immediately/>>,<< https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html>>, <<https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java>>, and <<https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild>> have all confirmed evidence of <<https://twitter.com/bad_packets/status/1469225135504650240>> of affected applications in the wild for vulnerable servers and attacks registered against their honeypot networks following the <<https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce>> of a proof-of-concept <<https://twitter.com/artsploit/status/1469245422153699329>> exploit. “This is a low skilled attack that is extremely simple to execute,” Sonatype’s Ilkka Turunen said. https://d-6819001142021782409.ampproject.net/2111242025001/frame.html
GreyNoise, likening the flaw to <<https://en.wikipedia.org/wiki/Shellshock_(software_bug)>>, said it <<https://www.greynoise.io/blog/apache-log4j-vulnerability-CVE-2021-44228>> targeting the vulnerability commencing on December 9, 2021. Web infrastructure company Cloudflare <<https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/>> that it blocked roughly 20,000 exploit requests per minute around 6:00 p.m. UTC on Friday, with most of the exploitation attempts originating from Canada, the U.S., Netherlands, France, and the U.K.
Given the ease of exploitation and prevalence of Log4j in enterprise IT and DevOps, <<https://www.greynoise.io/viz/query/?gnql=tags%3A%22Apache%20Log4j%20RCE%20Attempt%22>> aimed at susceptible servers are expected to ramp up in the coming days, making it imperative to address the flaw immediately. Israeli cybersecurity firm Cybereason has also released a fix called <<https://github.com/Cybereason/Logout4Shell>> that closes out the shortcoming by using the vulnerability itself to reconfigure the logger and prevent further exploitation of the attack.
“This Log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string,” Security expert Marcus Hutchins <<https://twitter.com/MalwareTechBlog/status/1469289471463944198>> in a tweet.
SOURCE: The Hacker News