A highly critical vulnerability affecting the Apache Log4j library has potentially shaken the internet. This ‘Log4Shell’ vulnerability is already under attack and affects various services including Twitter, iCloud, Apple, and Minecraft.
‘Log4Shell’ Zero-Day Vulnerability Has A Wide Attack Surface
Researchers have shared insights about a critical Apache Log4j vulnerability that affects numerous services.
As listed in a new GitHub repo, some of the affected services even include Apple, Amazon, Twitter, Tencent, Steam, Baidu, Cloudflare, Tesla, Ghidra, Google, WebEx, LinkedIn, and more. Whereas, the vulnerability was first caught affecting Minecraft.
According to the official description of this vulnerability from Apache, it’s an RCE flaw that allows an attacker to take control of the target servers. As stated,
Apache has confirmed that this vulnerability impacts Log4j 2 versions from 2.0-beta9 to 2.14.1.
Apache Deployed The Patches
Regrettably, New Zealand CERT has admitted in an advisory that the bug is already under attack in the wild.
Hence, it is imperative for the users to ensure receiving the latest Log4j version to get the patches. The US CERT has also urged on these updates in their recent advisory.
Specifically, Apache has released Log4j version 2.15.0, addressing this vulnerability. Also, they have shared a mitigation for this bug in their advisory that reads,
In releases >=2.10, this behavior can be mitigated by setting either the system property
log4j2.formatMsgNoLookupsor the environment variable
true. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the
JndiLookupclass from the classpath:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Let us know your thoughts in the comments.
Last modified: December 13, 2021