Critical New 0-day Vulnerability in Popular Log4j Library Discovered  with Evidence of Mass Scanning for Affected Applications

News broke early Friday morning of a serious 0-day Remote Code Execution exploit in log4j – CVE-2021-44228– the most popular java logging framework used by Java software far and wide. This type of vulnerability is especially dangerous as it can be used to run any code via your software and requires very low skills to pull off from an attacker. Log4j is near ubiquitous in Java applications, so immediate action is needed from software maintainers to patch. 

FinConDX 2021

This affects anyone using log4j to perform logging, and anyone using software that uses log4 which is a large population of enterprise Java software currently available.

A similar vulnerability was used in the famous Equifax hack with devastating results. What makes this issue potentially more dangerous is the wide adoption of log4j in most of the Java ecosystem.

What is the Log4j Exploit? 

Early Friday morning GMT a vulnerability Proof of Concept was published in a github repository and made public. 

It affects Apache log4j between versions 2.0 and 2.14.1 and according to some sources, only on JDK versions below 6u211, 7u201, 8u191 and 11.0.1 . Coordinated with this release, Apache published a fix to the issue.

This is a low skilled attack that is extremely simple to execute. It allows the attacker to run Arbitrary Code on any application that is vulnerable and use this capability to execute an attack. Compared to the famous 2017 Struts2 CVE that led to the Equifax vulnerability this issue is potentially more far reaching, as log4j is a far more widely adopted component.

This vulnerability affects any application that uses log4j for logging – which includes software such as Minecraft, where we’ve already seen evidence of the vulnerability being exploitable using the built-in chat functionality.  It’s (Read more…)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ilkka Turunen. Read the original post at: