On Friday, December 10, 2021, news of active exploitation of a previously unknown zero-day vulnerability (CVE-2021-44228
Severe vulnerability in Java logging libraries allows unauthenticated remote code execution and access to servers, warn researchers.
Tracked as CVE-2021-44228, the vulnerability is classed as severe and allows unauthenticated remote code execution as the user running the application utilises the Java logging library. CERT New Zealand warns that it’s already being exploited in the wild.
CISA has urged users and administrators to apply the recommended mitigations “immediately” in order to address the critical vulnerabilities.
SEE: A winning strategy for cybersecurity (ZDNet special report)
The vulnerability was first discovered in Minecraft but researchers warn that cloud applications are also vulnerable. It’s also used in enterprise applications and it’s likely that many products will be found to be vulnerable as more is learned about the flaw.
A blog post by researchers at LunaSec warns that anybody using Apache Struts is “likely vulnerable.”
LunaSec said: “Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We’re calling it “Log4Shell” for short.”
Organisations can identify if they’re affected by examining the log files for any services using affected Log4j versions. If they contain user-controlled strings, CERT-NZ uses the example of “Jndi:ldap”, they could be affected.
In order to mitigate vulnerabilities, users should switch log4j2.formatMsgNoLookups to true by adding:”‐Dlog4j2.formatMsgNoLookups=True” to the JVM command for starting the application.
To prevent the library being exploited, it’s urgently recommended that Log4j versions are upgraded to log4j-2.15.0-rc1.
“If you believe you may be impacted by CVE-2021-44228, Randori encourages all organizations to adopt an assumed breach mentality and review logs for impacted applications for unusual activity,” cybersecurity researchers at Randori wrote in a blog post.
“If anomalies are found, we encourage you to assume this is an active incident, that you have been compromised and respond accordingly.”