Advertisement
  1. SEJ
  2.  » 
  3. Web Dev SEO

Catastrophic Log4j Security Fail Threatens Enterprise Systems & Web Apps Worldwide

A serious code execution vulnerability in Log4j has security experts warning of potentially catastrophic consequences for enterprise organizations and web apps.

Catastrophic Log4j Security Fail Threatens Enterprise Systems & Web Apps Worldwide

A serious code execution vulnerability in Log4j has security experts warning of potentially catastrophic consequences for enterprise organizations and web apps.

The vulnerability, listed as CVE-2021-44228 in the Apache Log4j Security Vulnerabilities log, enables remote attackers to take control of an affected system.

What is Log4j?

Log4j is an open source Apache logging system framework used by developers for recordkeeping within an application.

This exploit in the popular Java logging library results in Remote Code Execution (RCE). The attacker sends a malicious code string that, when logged by Log4j, allows the attacker to load Java on the server and take control.

Wired reports that attackers were using Minecraft’s chat function to exploit the vulnerability Friday afternoon.

Who Is Impacted By The Log4j Security Issue?

The issue is so severe that the United States Cybersecurity & Infrastructure Security Agency released a notice December 10 that states, in part:

“CISA encourages users and administrators to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.”

The log referenced above classifies the severity of the issue as ‘Critical’ and describes it as:

“Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

Marcus Hutchins from MalwareTech.com warns that iCloud, Steam, and Minecraft have all been confirmed vulnerable:

Free Wortley, CEO at LunaSec, wrote in a Dec 9 ‘RCE Zero-Day‘ blog post that, “Anybody using Apache Struts is likely vulnerable.”

He also said, “Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe.”

CERT, the Austrian Computer Emergency Response Team, published a warning Friday that stated those impacted include:

“All Apache log4j versions from 2.0 up to and including 2.14.1 and all frameworks (e.g. Apache Struts2, Apache Solr, Apache Druid, Apache Flink, etc.) that use these versions.

According to the security company LunaSec, the JDK versions 6u211, 7u201, 8u191, and 11.0.1 are not affected in the default configuration, as this does not allow a remote codebase to be loaded.

However, if the option com.sun.jndi.ldap.object.trustURLCodebaseis trueset to, an attack is still possible.”

Rob Joyce, Director of Cybersecurity with the NSA, tweeted Friday that, “The log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA’s GHIDRA.”

Security Expert Recommendations For Combating Log4j Vulnerabilities

Kevin Beaumont warns that even if you had upgraded to log4j-2.15.0-rc1, there was a bypass:

Marcus Hutchins from MalwareTech.com offers a workaround for those who can’t upgrade Log4j:

Matthew Prince, co-founder and CEO of Cloudflare, announced Friday:

We’ve made the determination that #Log4J is so bad we’re going to try and roll out at least some protection for all Cloudflare customers by default, even free customers who do not have our WAF. Working on how to do that safely now.”

Chris Wysopal, co-founder and CTO at Veracode, recommends upgrading to a minimum of Java 8:

He also warns, “There may be only 5% of apps still on Java 7 but that is the long tail that will be exploited over the next months. Don’t have one of these in your org.”

Figuring out which applications in your organization use Log4j should be mission critical.


Featured image: Shutterstock/solarseven

ADVERTISEMENT

Subscribe to SEJ

Get our daily newsletter from SEJ's Founder Loren Baker about the latest news in the industry!

Topic(s) of Interest*
By clicking the "SUBSCRIBE" button, I agree and accept the content agreement and privacy policy of Search Engine Journal.
Ebook

Miranda Miller

Managing Editor at Search Engine Journal

Writer, editor & marketing professional; digital nomad, feminist and mother bear. 15 years of experience planning & executing engaging digital ... [Read full bio]

ADVERTISEMENT
Advertisement
Read the Next Article
Read the Next