The Apache Software Foundation has released an emergency security update that fixes a 0-day vulnerability (CVE-2021-44228) in the popular Log4j logging library, which is part of the Apache Logging Project.
The patch was released as part of the 2.15.0 release.
The vulnerability was named Log4Shell and scored 10 out of 10 points on the CVSS vulnerability rating scale. The bug allows remote arbitrary code execution (RCE). The problem is aggravated by the fact that yesterday information security researcher p0rz9 already published a PoC exploit on Twitter, and the vulnerability can be exploited remotely, and this does not require special technical skills.
The problem was originally discovered while searching for bugs on Minecraft servers, but Log4j is present in almost all corporate applications and Java servers. For example, the library can be found in almost all enterprise products released by the Apache Software Foundation, including Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, Apache Kafka, Apache Dubbo, and so on. Log4j is also actively used in various open source projects, including Redis, ElasticSearch, Elastic Logstash, Ghidra and others.
Thus, companies using any of these products are also indirectly vulnerable to attacks on Log4Shell, but may even know about it. Information security specialists already report that solutions of such giants as Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, DIDI, JD, NetEase and probably thousands of other companies may be vulnerable to Log4Shell.
p0rz9 wrote that CVE-2021-44228 can only be exploited if the log4j2.formatMsgNoLookups parameter is set to false. KnownSec 404 Team reports that Log4j 2.15.0 has set this parameter to true to prevent attacks. This means that Log4j users who have upgraded to version 2.15.0 and then set the flag to false will again be vulnerable to attacks.
Moreover, Log4j users who have not updated, but have set the flag to true, will still be able to block attacks even on older versions.
Unfortunately, this also means that all older versions are at risk, where this parameter is set to false by default. That is, all previous releases of Log4j, starting with 2.10.0, are vulnerable.
According to experts from Bad Packets and Greynoise, several cybercriminals are already scanning the network in search of applications that may be vulnerable to Log4Shell, which means that there is almost no time left to install patches.
Let me remind you that I also talked about the fact that the IIS bug with worm potential poses a threat to WinRM servers.