Earlier this week, developers of the open-source security platform LunaSec discovered a zero-day vulnerability affecting a widely used Java-based logging library. The vulnerability, identified in a blog post as Log4Shell (CVE-2021-44228), can give third parties the ability to execute malicious code on vulnerable systems.
The vulnerability’s discovery is credited to researchers at LunaSec and Alibaba Cloud Security’s Chen Zhaojun. It leverages a widely used Apache-based logging utility, log4j, to log server data with malicious payloads that trigger a series of actions to inject a secondary payload. The secondary payload allows remote execution of code on the affected system.
Researchers responsible for identifying the vulnerability, discovered initially on Minecraft servers, believe hundreds of thousands of companies and systems could be at risk due to the widespread use of the Apache-based logging service. Analysts have already identified several large companies and services as vulnerable, including Amazon, Apple, Elastic, Steam, Tencent, and Twitter. National Security Agency cybersecurity director Robert Joyce also confirmed that GHIDRA, the agency’s open-source reverse engineering tool, was also affected.
LunaSec notes that anyone using the Apache Struts framework is likely vulnerable. A later update expanded upon the statement, indicating that JDK versions greater than 6u211, 7u201, 8u191, and 11.01 are not affected by the attack’s LDAP-based vector. However, this does not mean later versions are completely immune, as alternative attack vectors may still be employed to leverage the Log4Shell vulnerability to initiate remote code execution.
LunaSec’s finding and the resulting CVE provide affected systems with temporary and permanent mitigation steps to ensure the exploit does not negatively impact their servers and operations. An updated version of the log4j service, v2.15.0, has remediated the exploit and been made available for download. Temporary mitigation has also been provided in the CVE for organizations unable to upgrade their log4j service at this time.