Several popular services, including Apple iCloud, Steam, Amazon, Twitter, Cloudflare and Minecraft are left vulnerable to a ‘ubiquitous’ zero-day exploit that has been discovered in the widely-used Java logging system called ‘log4j2’ developed by Apache Software Foundation.
The vulnerability, dubbed “Log4Shell” by cybersecurity researchers at LunaSec and credited to Chen Zhaojun of Alibaba, exploits results in Remote Code Execution (RCE) by logging a certain string, which allows attackers to gain uncontrolled access to computer systems and import malware putting millions of devices completely at risk.
According to the researchers, given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability (CVE-2021-44228) is “quite severe”.
Researchers from LunaSec said anybody using Apache Struts is also likely vulnerable, adding that similar vulnerabilities were exploited before in attacks like the Equifax breach in 2017. The vulnerability in Apple’s servers can be triggered by simply changing an iPhone’s name.
The issue affects all versions between 2.0-beta-9 and version 2.14.1. However, LunaSec noted that Java versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the vulnerability.
The vulnerability affects all versions between 2.0-beta-9 and version 2.14.1. Many Open Source projects like the Minecraft server, Paper, have already begun patching their usage of ‘log4j2’. An extensive list of responses from impacted organizations has been listed here.
The Apache Software Foundation has released an emergency security update in the most recent version of the library, version 2.15.0 to patch the zero-day vulnerability in ‘log4j’ along with mitigation steps for those unable to update immediately.
“An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled,” the Apache Foundation said in an advisory. “From Log4j 2.15.0, this behavior has been disabled by default.”
Those using Log4j in their software are recommended to upgrade it to the latest 2.15 version immediately.