Vulnerability found in Apache logging library Log4j exposes popular apps, websites and online services to attack and exploitation
A critical security vulnerability has been discovered that threatens large swathes of the Internet, as it centres around an extremely common open source logging utility, called Log4j.
The flaw is so serious it can be exploited on many websites and online services from the likes of Apple, Amazon, Steam, Twitter and Tesla, to name but a few.
The flaw was discovered being actively exploited last week on minecraft servers, and it could give hackers full control over affected systems, in order to steal system credentials or other data, or continue exploiting particular systems and networks.
The flaw concerns the Apache logging library Log4j and was disclosed by Apache last week, prompting a flurry of warnings from both UK and US cyber officials, as well as from the cybersecurity industry itself.
“The NCSC is advising organisations to take steps to mitigate the Apache Log4j 2 vulnerability,” warned the UK’s National Cyber Security Centre (NCSC).
“An unauthenticated remote code execution vulnerability (CVE-2021-44228) is affecting multiple versions of the Apache Log4j 2 library,” it said. “The NCSC is aware that scanning and attempted exploitation is being detected globally, including the UK.”
It also stated that proof-of-concept code has been published for this vulnerability.
“Log4j 2 is an open-source Java logging library developed by the Apache Foundation,” said the NCSC. “It is widely used in many applications and is present in many services as a dependency. This includes enterprise applications, including custom applications developed within an organisation, as well as numerous cloud services.”
The Log4j 2 library is frequently used in enterprise Java software and is included in Apache frameworks.
Users are being advised to check with their vendors for fixes and apply them as soon as possible.
Meanwhile in the United States, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly addressed the vulnerability.
“CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library,” said Easterly. “This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use.”
“End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software,” said Easterly. “Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates.”
“We continue to urge all organiaations to review the latest CISA current activity alert and upgrade to log4j version 2.15.0, or apply their appropriate vendor recommended mitigations immediately,” said Easterly.
“To be clear, this vulnerability poses a severe risk,” said Easterly. “We will only minimise potential impacts through collaborative efforts between government and the private sector. We urge all organisations to join us in this essential effort and take action.”
The need for users to take action was echoed across the security industry.
“Log4j is a library that is built into the logging functionality of a very large part of the internet,” noted Nicholas Luedtke, principal analyst at Mandiant.. “It is embedded/used by a ton of software that run websites, clouds, security services, games, etc…”
“Because logs are important for security, debugging, and audit trails, it is very common for some part of user controlled data to go directly into log files,” said Luedtke. “Those two aspects, coupled by the trivial nature of exploitation of this vulnerability make it very serious.”
“Attackers only need to find a vector by which they can cause a crafted string to be inserted into a logfile of a vulnerable system,” said Luedtke. “Once they have achieved that, the impacts to an enterprise can be wide. Obviously they could gain a foothold on the victim’s network; that foothold may be privileged if the product that was compromised was an administrative or security component.”
Another expert, Jonathan Tanner, a researcher at Barracuda Networks said the first thing to check is whether any version of log4j prior to 2.15.0 is being used, including from dependencies.
“Maven and Gradle both have ways to print the entire dependency tree for a project, which will allow for determining whether or not a vulnerable version of log4j is being used,” said Tanner.
“Even with version 2.15.0 or greater, it should also be verified that the formatMsgNoLookups system property is not set to true since this version is only not vulnerable because it set the default value of this from true to false.”