'Especially dangerous' Java zero day discovered, same type as used in Equifax breach
Patch Log4j urgently admins urged, as memories of 2017 Equifax hack loom large
A proof of concept exploit has been published on GitHub that attacks a remote code execution zero day flaw in Apache Log4j, a very widely used logging program for Java software.
The flaw, tracked as CVE-2021-44228, allows attackers to execute malicious code on Java applications and is poses a serious danger both because of the ubiquity of Log4j and because such an attack is easy to pull off.
"This type of vulnerability is especially dangerous as it can be used to run any code via your software and requires very low skills to pull off from an attacker," said Ilkka Turunen, field CTO of at code security firm Sonatype in a blog post. "Log4j is near ubiquitous in Java applications, so Log4j is near ubiquitous in Java applications, so immediate action is needed from software maintainers to patch."
Marcus Hutchins, the security specialist credited with stopping the WannaCry ransomware attack in its tracks, described the flaw as 'extremely bad'. Many Java applications including iCloud, Steam, and Minecraft are all vulnerable, he noted.
Anybody using the Apache Struts/Structs2 web application framework is likely vulnerable, said Free Wortley, CEO of security platform LunaSec, noting that similar vulnerabilities in Structs were exploited before in the 2017 Equifax data breach, which saw hundreds of millions of personal records stolen.
Apache Log4j versions between 2.0 and 2.14.1 are affected. The Apache Foundation has released a patched version 2.15.0 that neutralises the problem; it can be downloaded from Maven Central.
For older versions that cannot be immediately upgraded Apache advises they can be reconfigured manually to remove the vulnerability by "setting system property ‘log4j2.formatMsgNoLookups' to ‘true' or by removing the JndiLookup class from the classpath."
"This new Log4j vulnerability is likely going to be another 'flashbulb memory' event in the timeline of significant vulnerabilities," predicted Sonatype CTO Brian Fox.
"It is the most widely used logging framework in the Java ecosystem. The scope of affected applications is comparable to the 2015 commons-collection vulnerability (CVE 2015-7501) because attackers can safely assume targets likely have this on the classpath.
"The impact is comparable to previous Struts vulnerabilities, like the one that impacted Equifax, because the attacks can be done remotely, anonymously without login credentials, and leads to a remote exploit. The combination of scope and potential impact here is unlike any previous component vulnerability I can readily recall."