It’s about as bad as it gets.
A critical, zero-day vulnerability in a ubiquitous piece of software used the world over.
Straightforward to exploit, it allows for full control of a compromised server over the internet.
Hackers are already using the flaw to break into organisations around the globe. It’s being called ‘Log4Shell’.
The 10/10 severity vulnerability lives within a hugely popular Java logging library known as log4j, used by many platforms across the internet, including the likes of Apple, Amazon, Google – and Minecraft, where the bug was first discovered.
It’s so concerning because it allows for a thing called remote code execution – one of the most dangerous types of vulnerabilities because a hacker can take complete control of someone else’s machine over the internet.
That’s compounded by the fact that log4j is so widely used; by enterprises like Telstra, as well as the world’s largest cloud and online platform providers.
Add to the mix someone publishing a proof-of-concept to exploit the flaw, and hackers actively scanning the internet to identify vulnerable servers, and we’ve got a big problem on our hands.
“Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe,” security firm LunaSec wrote.
“Millions of applications use log4j for logging, the act of keeping a log of any event or action that happens on a server. And all the attacker needs to do is get the app to log a special string,” security researcher Marcus Hutchins said on Twitter.
“The internet’s on fire right now,” Adam Meyers, senior vice president of intelligence at Crowdstrike, said.
“People are scrambling to patch and there are all kinds of people scrambling to exploit it. In the last 12 hours it has been fully weaponised.”
Hackers were able to compromise Minecraft’s servers simply by pasting a short message into a chat box, according to Hutchins.
Anyone using versions 2.0 to 2.14.1 of log4j is affected. It also impacts default configurations of Apache frameworks like Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, among others.
We’ve seen the type of damage that can be wrought through flaws in open source software like Apache before: the devastating 2017 breach of credit bureau Equifax – which saw the personal data of 148 million Americans and 15 million Brits compromised – was perpetrated through a flaw in Apache Struts.
Apache has released an update to close the vulnerability.
Authorities are urging users to install the patch or update to the latest version of log4j wherever it is used immediately.
For those that can’t, a mitigation is available for versions 2.10 and above : setting the system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.
Security firm Cybereason has also released a ‘vaccine’ package called Logout4Shell that exploits the flaw in order to change a setting and fix the vulnerable server.
But evidence that hackers are already compromising vulnerable targets means there’s little time to waste.
“Due to the ease of exploitation and the breadth of applicability, we suspect ransomware actors to begin leveraging this vulnerability immediately,” security firm Randori said.
“Randori encourages all organisations to adopt an assumed breach mentality and review logs for impacted applications for unusual activity.”
