Last Updated on December 13, 2021
The recent emergence of CVE-2021-44228, the so-called Log4Shell vulnerability, is a critical flaw affecting multiple versions of the ubiquitous Apache Log4j 2 Java logging framework. Attackers are already scanning the internet for exposed systems and services to install crypto mining malware, build up botnets and harvest user credentials (via Cobalt Strike), with ransomware exploits sure to follow.
“The next Heartbleed”
Dubbed “the next Heartbleed” for its potentially massive ongoing impact across thousands of organizations, exploitation of this flaw is almost laughably trivial. For example, researchers were able to use chat boxes to launch exploits against the Java version of Microsoft’s Minecraft, the most popular video game of all time.
Sites hosting Minecraft servers were “ground zero” for Log4Shell. Other allegedly vulnerable sites include the Steam gaming platform and Apple’s iCloud.com. While Java software will be a key target and obvious concern, Log4j 2 is widely used in literally millions of web apps, enterprise apps, eCommerce platforms, email services and games, and is a dependency in many services, both on-prem and on cloud.
Exploit options are numerous
The Log4Shell vulnerability is exploitable using a wide range of situation-specific methods. Given the range of potential delivery options, your firewall alone does not eliminate the threat. Basically, all an attacker needs to do is get the app to save a specific string in its log. Successful hacks start by establishing a remote connection, followed by writing of arbitrary data to logs utilizing the Log4j 2 library, followed by remote code execution leading to data exposure.
It’s likely that more and more vulnerable products will emerge in the coming weeks, especially since attackers have probably been exploiting Log4Shell prior to its public disclosure. Ironically, there has been longstanding pressure from the developer community to decommission Log4j, but these concerns weren’t taken seriously because no “real” issues had arisen.
Patch or mitigate now!
To mitigate this high-risk vulnerability, you should urgently prioritize upgrading to a patched version of Log4j 2 or the application using it. If patching isn’t possible, you can apply a temporary mitigation method, such as described on randori.com. Another possible option is a “vaccine” released by cybersecurity firm Cybereason that can remotely mitigate the vulnerability.
If you believe you may be impacted by CVE-2021-44228, the recommendation is to adopt an “assumed breach” approach and review the logs for potentially exploitable applications. If your software inventory contains these hashes, then you have a vulnerable version of Log4j to contend with.
Not sure if you need to be worried about Log4Shell? Contact Pivot Point Security to connect with an expert about next steps.