Log4j Remote Code Execution Vulnerability Likely to Affect Millions
- By John K. Waters, Kurt Mackie
- December 15, 2021
UPDATE, 12/16: Cybersecurity experts are saying that attackers connected with nation-states, including China and other governments, are actively exploiting the Log4jShell vulnerability. On Thursday, John Graham-Cumming, CTO of Cloudflare, tweeted that his company has tracked more than 100,000 attempts to exploit the vulnerability per hour.
Sadly, scanning and exploiting the #Log4Shell vulnerabilities has increased past 100k blocked attacks per hour and today looks like the most active day since this became public.
On Wednesday evening Microsoft posted an update to its security blog, in which it reported observing "multiple threat actors leveraging the CVE-2021-44228 vulnerability in active attacks."
MSTIC [the Microsoft Threat Intelligence Center], has also observed the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives.
A critical-remote code execution (RCE) vulnerability (CVE-2021-44228) in the Apache Software Foundation's (ASF) Log4j, a widely used open-source Java logging library, is being leveraged by malicious actors in the wild.
The vulnerability, known as "Log4jShell," affects Log4j2 versions up to and including 2.14.1. According to the AWS security guide, the Java Naming and Directory Interface (JNDI) features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. (JNDI is an API that provides naming and directory functionality to applications written using Java.) An attacker with the ability to control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
The ASF quickly provided a fix to address CVE-2021-44228 in Apache Log4j 2.15, but on Tuesday, an additional vulnerability (CVE-2021-45046) was reported by MITRE alert. The fix was found to be "incomplete in certain non-default configurations" allowing attackers to "craft malicious input data using a JNDI Lookup pattern resulting in a denial-of-service (DoS) attack." The latest version of Log4j, 2.16.0 (for users of Java 8 or later), nearly removes all support for message lookups and disables JNDI by default. Java 7 users were advised to upgrade to Log4j release 2.12.2 when it becomes available.
"Dealing with CVE-2021-44228 has shown the JNDI has significant security issues," said Log4j contributor Ralph Goers, in an online discussion of the issue. "While we have mitigated what we are aware of, it would be safer for users to completely disable it by default, especially since the large majority are unlikely to be using it…."
The zero-day vulnerability (no patch before it became known and potentially exploitable) is likely to have affected millions of devices, according to the Cybersecurity and Infrastructure Security Agency (CISA). Cloud services such as Steam, Apple iCloud, and apps such as Minecraft have already been found to be vulnerable. In one of the first known attacks, malicious actors were able to take over one of Minecraft's servers before Microsoft, which owns Minecraft, patched the problem.
In his most recent "Crypto-Gram" newsletter, cybersecurity maven Bruce Schneier explained why the Log4j vulnerability is so serious:
The range of impacts is so broad because of the nature of the vulnerability itself. Developers use logging frameworks to keep track of what happens in a given application. To exploit Log4Shell, an attacker only needs to get the system to log a strategically crafted string of code. From there they can load arbitrary code on the targeted server and install malware or launch other attacks. Notably, hackers can introduce the snippet in seemingly benign ways, like by sending the string in an email or setting it as an account username.
CISA explained it this way on its website: "Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system."
CISA has posted Apache Log4j Vulnerability Guidance on its web page, and the organization is urging Log4j users to upgrade version 2.15.0, or "apply the appropriate vendor recommended mitigations immediately." Microsoft has also issued a threat advisory and guidance for preventing, detecting, and hunting exploitation of this RCE vulnerability.
"Log4Shell has given cybercriminals the perfect attack campaign on a silver platter," Sanjay Nagaraj, CTO and co-founder of cloud security provider Traceable AI, told ADTmag in an email. "The exposure has become an education process for threat actors, enabling them to direct their efforts to vulnerabilities that have a high rate of return on investment. They are racing to exploit applications and sensitive data while customers simultaneously dash towards patching. In terms of severity this is a REDCON-1, on full alert and ready to fight mode."
Web infrastructure provider Cloudflare may have been the first to discover the vulnerability. The company's CEO, Matthew Prince, posted a warning about the exploit on Twitter on December 11 before it was disclosed.
"In terms of scale," Nagaraj added, "it’s important to note that Java is everywhere, and Java applications are everywhere. Even if your organization isn’t using Java directly, your software supply chain (integrating with 3rd party vendors or other partner software, which may contain Java components) makes you susceptible."
John K. Waters is the editor in chief of a number of Converge360.com sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS. He can be reached at [email protected].
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.