The unauthenticated remote code execution vulnerability in Apache’s Java-based Log4j logging tool is being actively exploited, and researchers have issued a warning after using the vulnerability to execute code my world server.
Infosec company Randori summarized the vulnerability in a blog post and stated: “In fact, any scenario that allows remote connections to provide arbitrary data is vulnerable to exploitation.
Well-designed proof-of-concept code snippets are already in progress.
The vulnerability is tracked as CVE-2021-44228 and affects Log4j versions before 2.14.1.The proof of concept code is Publish to GitHub Published by members of the Alibaba Cloud security team, accompanied by a short readme file: “As verified by the Alibaba Cloud security team, Apache Struts2, Apache Solr, Apache Druid, Apache Flink, etc. are all affected.”
Apache Foundation Patch released For the critical level vulnerability earlier today. Its patch notes confirmed: “When message search and replacement is enabled, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from the LDAP server.”
We have contacted Apache for comments and will update this article in response. The root cause of the problem seems to be that Log4j is parsing some code snippets in user input. Whether it exists or not, it will affect Log4j and its updated version Log4j2.
Lunasec’s information security equipment Detailed blog post about the defect.
Sean Wright, an application security expert at Immersive Lab, told Register Although there are instant patches available, it is better to ease now and wait for stable candidates.
“My suggestion to the organization is to review the interim remediation suggestions (set the formatMsgNoLookups=true attribute) and wait for the patched version to be available,” he said. “Although there are candidate versions for patches, they are not stable versions and may pose risks, so please apply temporary fixes until you can apply the stable version of the patch.”
Marcus Hutchins, the information security agency that prevented WannaCry from attacking the British NHS a few years ago, described it as “extremely bad.”
As far as Minecraft is concerned, the attacker only needs to paste a short message into the chat box to execute code remotely on the Minecraft server.
— Marcus Hutchins (@MalwareTechBlog) December 10, 2021
Jamie Moles, senior technical manager of network detection and response company ExtraHop, told register RCE may affect “many cloud platforms including Steam, iCloud and Minecraft.”
“This problem can be alleviated by patching,” he continued. “Updating log4j-core.jar to version 2.15.0, released today, solved this problem. But we are now in December, when many online services will be in a change freeze state-this means that the business will not tolerate downtime to patch Question. It will be interesting to see this spread to the retail industry.”
Log4j is also the default logging utility in Elasticsearch, as well as many other products and services that businesses rely on. If you want this weekend to end early, I’m sorry: just like time, loopholes wait for no one. ®
