Attackers Widely Exploit Max-Severity Apache Log4j Zero-day Vulnerability in the Wild

A maximum-severity vulnerability was discovered in Apache Log4j, which is an open-source logging library based in Java. It is utilized by a lot of organizations in their business programs and by numerous cloud solutions.

The vulnerability, called Log4Shell and monitored as CVE-2021-44228, is critical. Some security researchers are saying that the vulnerability is the most serious among the discovered vulnerabilities in the past ten years because of the simplicity of exploitation as well as a large number of business applications and cloud solutions impacted.

The exploitation of the vulnerability can be done without authentication to gain remote code execution and seize complete control of vulnerable programs. The vulnerability impacts Apache Log4j versions 2.0 up to 2.14.1. The vulnerability in version 2.15.0 has been resolved.

The instruction is to make sure the upgrade is carried out quickly because there is a proof-of-concept exploit for the vulnerability available in the public domain. Comprehensive scans are being done for unsecured systems, and there were a lot of cases that the vulnerability was exploited in the wild. A number of reports indicate the incorrect input validation bug was exploited in the wild for a while prior to its discovery on November 24 by researchers at Alibaba Cloud.

The vulnerability was first observed being exploited in Minecraft, which even now employs Java, though a lot of web applications and business systems employ Java and are prone to attack. The vulnerability impacts several Apache frameworks like Apache Solr, Apache Struts2, Apache Flink, Apache Druid, and others.

The vulnerability may be exploited by modifying log information to implement arbitrary code from LDAP servers if message search substitution is permitted. This is a Java deserialization problem because the library is creating system requests by means of the Java Naming and Directory Interface (JNDI) to an LDAP server and implementing code that is returned. By modifying the log information to bring about a look-up to an attacker-managed server, an attacker could implement code on the system of the victim. Exploiting the bug demands the attacker to acquire vulnerable software to record a special string, which is unimportant for attackers and calls for just one line of code.

Based on UK security researcher Marcus Hutchins, Minecraft servers had been attacked just by putting a brief message into the chatbox. The bug is identified to have been used to release cryptocurrency miners, to put in botnet code on IoT gadgets, and initial access brokers had scrambled to take advantage of the code, therefore it is no surprise that it will give the preliminary access and permit ransomware attacks.

In case it isn’t possible to quickly upgrade to version 2.15.0, there are steps to do to protect against exploitation in version 2.10.0 and the latest versions. Cybereason released a vulnerability “vaccine” that could be employed to safeguard against vulnerability exploitation to run code that modifies the configurations to avert even more exploitation. The vaccine can be employed to buy some time, though the best choice is to upgrade to the most recent Apache Log4j version.

The vulnerable code can be at any place, therefore correcting the problem is not going to be easy, though Huntress has launched a tool that may be employed to test whether applications are impacted. Apache also introduced mitigations that could be used when the update can’t be readily done.

Considering there were a lot of instances of the vulnerability being taken advantage of, it is necessary to not just resolve the vulnerability but to additionally suppose the vulnerability was already exploited and to analyze logs for any strange activity after securing the systems and applications.