At the end of last week a vulnerability in the Java Log4j library was disclosed. Now generally being called "Log4shell," a vulnerability in Apache's Log4j library that's formally tracked as CVE-2021-44228, the effects are serious, widespread, and difficult to mitigate. NIST describes the problem as "An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled." The problem lies in the lookup function, Sophos explains, (Apache describes the function and how it might be exploited in its Logging Services blog.) The vulnerability could give attackers a means of controlling a server, executing whatever code they might choose. Cygenta has a useful overview of how exploitation works, and credits researchers at Alibaba with discovering the flaw back in November, and responsibly disclosing it to Apache, which is why upgrades to Log4j were out by the time the vulnerability was disclosed last week. The Wall Street Journal compares Log4shell in scope and risk to 2014's Heartbleed vulnerability.
All Five Eyes have issued warnings about Log4shell, as have other allied cybersecurity services. Their advice is consistent: the flaw is serious, and enterprises should take immediate steps to mitigate their risk. Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly on Saturday wrote, "This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software. Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates."
Britain's National Cyber Security Centre (NCSC) warns that it's detecting active scanning for the vulnerability, and singles out five Apache frameworks as particularly at risk: Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and Apache Swift. The Australian Cyber Security Centre tells affected organizations that it's standing by and available to render assistance. The Canadian Centre for Cyber Security urges immediate patching. CERT-NZ, in New Zealand is also urging users to protect themselves.
Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI) in its alert emphasizes both the severity of the risk and prospect of remote code execution. The BSI rates the risk "red," that is, of the highest severity. France's CERT-FR warns that the issue is already undergoing exploitation in the wild, and urges users to upgrade to the latest version of Log4j as soon as possible. The Swiss Government Computer Emergency Response Team, like the NCSC, offers advice on what to do when patching is impossible or impractical. It adds a list of indicators of compromise, and it also has a clear description of the exploitation kill chain that defenders will find useful. And the Netherlands NCSC has posted a comprehensive list of affected software.
Log4shell is being exploited in the wild. Widespread exploitation appears to have begun only after the vulnerability was publicly disclosed, but Cloudflare and Cisco Talos both say they saw signs of an exploit in the wild some nine days before that disclosure.
The CyberWire has a summary of the vulnerability and how organizations are responding to it.