CISA offers, on balance, "a good-news story."
This morning CISA held a media call to outline, one month into the Log4shell affair, how the community it serves has responded to the widespread open-source software vulnerability. CISA Director Jen Easterly and Executive Assistant Director for Cybersecurity Eric Goldstein both spoke during the call. While Director Easterly emphasized that while Log4shell was easily the most serious vulnerability she'd seen in her career (being widespread, easily exploitable, and high in potential impact) the news she brought to this update was on balance "a good news story." CISA has seen an "unprecedented level of collaboration among its partners," and that, so far, the agency has observed no serious consequences of Log4shell exploitation.
Such exploitation as has been observed so far have been commonplace, of a fairly low-grade criminal nature. They've seen mostly cryptojacking and botherding, the latter presumably preparation for subsequent opportunistic use. CISA hasn't been able to confirm that Log4shell had been used to deploy any ransomware. The agency, Goldstein said, was aware of the risk of ransomware, and was particularly alert to threats to hospitals, but that so far ransomware seems not to have made extensive use of Log4shell. CISA has also not been able to independently confirm reports of nation-state attacks. And the US Government seems to have escaped disruptive attack. Goldstein said that CISA has observed scanning of US Government agencies, but no successful attempts to compromise them. That said, he cautioned against complacency, given that the Government faces "a long tail of remediation."
Not Log4j, but "Log4j-like."
The Java SQL database, H2, has been found to have vulnerabilities similar to those that afflict Log4j. JFrog, whose researchers identified the vulnerability, describe H2 and its use as follows:
"H2 is a very popular open-source Java SQL database offering a lightweight in-memory solution that doesn’t require data to be stored on disk. This makes it a popular data storage solution for various projects from web platforms like Spring Boot to IoT platforms like ThingWorks. The com.h2database:h2 package is part of the top 50 most popular Maven packages, with almost 7000 artifact dependencies."
Naked Security writes that the most probable avenues through which an attacker might exploit the H2 vulnerability are either through an "active H2 web-based console" or an "H2 console listening on an external network interface." Some attacks could open targets to unauthenticated remote code execution.
You can follow the CyberWire's coverage of the Log4j story here.