Steam, Apple iCloud, And Minecraft Vulnerable To Zero-Day Exploit

Several popular services, including Apple iCloud, Steam, Amazon, Twitter, Cloudflare and Minecraft are left vulnerable to a ‘ubiquitous’ zero-day exploit that has been discovered in the widely-used Java logging system called ‘log4j2’ developed by Apache Software Foundation.

The vulnerability, dubbed โ€œLog4Shellโ€ by cybersecurity researchers at LunaSec and credited to Chen Zhaojun of Alibaba, exploits results in Remote Code Execution (RCE) by logging a certain string, which allows attackers to gain uncontrolled access to computer systems and import malware putting millions of devices completely at risk.

The 0-day was tweetedย on December 9 along with a proof-of-conceptย (POC) posted onย GitHub.

According to the researchers, given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability (CVE-2021-44228)ย is “quite severe”.

Researchers from LunaSec said anybody using Apache Struts is also likely vulnerable, adding that similar vulnerabilities were exploited before in attacks like theย Equifax breachย in 2017. The vulnerability in Apple’s servers can be triggered by simplyย changing an iPhone’s name.

The issue affects all versions between 2.0-beta-9 and version 2.14.1. However, LunaSec noted that Java versions greater thanย 6u211,ย 7u201,ย 8u191, andย 11.0.1ย are not affected by the vulnerability.

The vulnerability affects all versions between 2.0-beta-9 and version 2.14.1. Many Open Source projects like the Minecraft server, Paper, have already begun patching their usage of ‘log4j2’. An extensive list of responses from impacted organizations has been listedย here.

The Apache Software Foundation has released an emergency security update in the most recent version of the library, version 2.15.0 to patch the zero-day vulnerability in ‘log4j’ along with mitigation steps for those unable to update immediately.

“An attacker who can control log messages or log message parameters can execute arbitrary code loaded fromย LDAPย servers when message lookup substitution is enabled,” the Apache Foundationย saidย in an advisory. “From Log4j 2.15.0, this behavior has been disabled by default.”

Those using Log4j in their software are recommended to upgrade it to the latest 2.15 version immediately.

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!
spot_img

Read More

Suggested Post