Cybersecurity Threat Advisory 0081-21: Critical Java Zero-Day Vulnerability Leaves Users Open to Remote Code Execution
A critical remote code vulnerability has emerged in Log4j, a Java Logging package that is used in a number of software products and platforms from organizations like Apache, Apple, Twitter, Tesla and Steam. This vulnerability impacts almost every Java application that writes logs using this library. Apache has released a patch for this vulnerability, which is being tracked as CVE-2021-44228. We implemented custom rules to detect this exploit in its SKOUT Managed XDR Log and Network Security Monitoring solutions, and recommends applying this patch immediately to protect your organization.
TECHNICAL DETAIL & ADDITIONAL INFORMATION
WHAT IS THE THREAT?
CVE-2021-44228: This is a Remote Code Execution Vulnerability. If exploited, an attacker could potentially use this to execute remote commands, which would enable them to run anything they wanted on a vulnerable device. This could lead to data leakage, or even complete system compromise, which can lead to denial of service.
Because there is a proof of concept available for this vulnerability, Barracuda MSP’s team and other security professionals are expecting to see a heightened number of attacks and attempts to exploit vulnerable users.
WHY IS IT NOTEWORTHY?
As stated earlier, this vulnerability affects any application which uses Log4j for logging. This includes software from Apache, Apple, Twitter, Tesla, Steam, ElasticSearch, Redis, and many video games (such as Minecraft). This gives cyber criminals an incredibly wide scope of potential targets. This exploit’s ramifications are so large that it is being considered a “shellshock” vulnerability.
Attackers are always looking out for these types of widely exploitable vulnerabilities. This RCE exploit is one of the biggest to surface recently. It is very important to keep services updated and apply patches as they are released to prevent threat actors from accessing and damaging your systems.
WHAT IS THE EXPOSURE OR RISK?
This exploit could potentially allow attackers to execute remote code on an impacted device. Remote Code Execution could lead to several possible compromises, such as data leakage, Denial of Service attacks, and even complete system compromises. Because the vulnerable library is used in so many different applications, attackers are not necessarily looking for a particular target. It only takes one line of text to trigger this attack, so attackers are just spraying this around everywhere they can and hoping to find vulnerable applications. If a machine is compromised, attackers could gain access to sensitive information by executing arbitrary system commands and even creating or deleting files. Log4j is used for logging on many different applications, many of which are used and trusted by businesses and individuals worldwide. The expectation is that any data stored in these applications remains private, and that these applications will be available to conduct everyday business. This vulnerability could potentially put these expectations at risk if exploited by attackers, so it is very important to ensure that all patches are applied.
WHAT ARE THE RECOMMENDATIONS?
We have implemented custom rules to detect this exploit in its SKOUT Managed XDR Log and Network Security Monitoring solutions and recommends applying this patch immediately to protect your organization. Please refer to the full list of impacted versions of the Log4j library below.
- Log4j all 2.x versions before 2.15.0 (released today, Friday, December 10, 2021) are affected:
JVM versions lower than:
- Java 6 – 6u212
- Java 7 – 7u202
- Java 8 – 8u192
- Java 11 – 11.0.2
- If your organization uses Apache log4j, they should upgrade to log4j-2.1.50.rc2 immediately.
- Additionally, it is up to certain vendors to apply this patch to their applications, so keep an eye out for any application updates. This resource is tracking vulnerable components/applications: https://github.com/YfryTchsGD/Log4jAttackSurface
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.