The vulnerability was announced suddenly, as a “zero-day” vulnerability, taking the industry by surprise. The vulnerability, dubbed ‘Log4Shell,’ was rated 10 on a scale of one to 10, the worst possible. Anyone with the exploit can get full access to an unpatched machine.
The Log4j software flaw as reported by cybersecurity researchers could allow attackers to have uncontrolled access to computer systems, and even the US government’s cybersecurity agency has issued a warning on the same.
LunaSec notes that simply changing an iPhone’s name was triggering the vulnerability in Apple’s servers.
What is the Log4j vulnerability?
The vulnerability in the Apache Software Foundation module was discovered Nov. 24 by the Chinese tech giant Alibaba, the foundation said.
The vulnerability, dubbed “Log4Shell” by researchers at LunaSec and credited to Chen Zhaojun of Alibaba, has been found in Apache Log4j, an open source logging utility that’s used in a huge number of apps, websites and services.
Log4Shell was also discovered in Microsoft-owned Minecraft, though LunaSec warns that “many, many services” are vulnerable to this exploit due to Log4j’s “ubiquitous” presence in almost all major Java-based enterprise apps and servers. The cybersecurity company warned in a blog post that anybody using Apache Struts is “likely vulnerable.”
The Log4j library in Java is used to keep a record of all activity in an application and is thus very commonly used by software developers across the world. The vulnerability can allow an attacker to control and execute ‘arbitrary code’ and gain access to a computer system. It can allow a hacker to gain complete control of a server when exploited correctly.
The technical definition in the CVE library states: An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
The worrisome part here is that the exploit has likely been used by hackers to gain access to certain computer systems, and now that the exploit is in the open, companies will have to patch it soon.
Who all are impacted by Log4j?
On Github, the companies impacted listed as Apple, Tencent, Steam, Twitter, Baidu, DIDI, JD, NetEase, CloudFlare, Amazon, Tesla, Google, Webex, LinkedIn, etc.
The Apache Software Foundation has released an emergency security update to patch the zero-day vulnerability in Log4j, along with mitigation steps for those unable to update immediately.
Microsoft’s Minecraft has already issued a statement on how users can update the game to avoid the issue, According to cybersecurity firm LunaSec. Other open-source projects such as Paper are also issuing patches to fix the problem, adds the blog.
The Computer Emergency Response Team (CERT) for New Zealand, Deutsche Telekom’s CERT, and the Greynoise web monitoring service have all warned that attackers are actively looking for servers vulnerable to Log4Shell attacks. According to the latter, around 100 distinct hosts are scanning the internet for ways to exploit Log4j vulnerability.
What top tech companies are saying
In a blog post, the Microsoft Security Response Center wrote that its security teams “have been conducting an active investigation of our products and services to understand where Apache Log4j may be used,” adding that if the company identifies any customer impact, it will notify them immediately.
Google Cloud in its security advisory notes that it is actively following the security vulnerability. “We are currently assessing the potential impact of the vulnerability for Google Cloud products and services. This is an ongoing event and we will continue to provide updates through our customer communications channels.”
The company, like others, has advised all its users who manage environments containing Log4j to update to the latest version.
“We are actively monitoring this issue, and are working on addressing it for any AWS services which either use Log4j2 or provide it to customers as part of their service,” an advisory pushed by Amazon read.
Meanwhile, Amazon believes that upgrading Log4j2 on JDKs will not mitigate the issue. The company said the only comprehensive solution is to upgrade Log4j 2 to 2.15, and any version older than 2.15 should be considered compromised.