The exploit, which allows code to be executed remotely on any vulnerable machine, corresponds to Log4j. This is an open-source logging library common in all kinds of software and services, from iCloud to Steam to Minecraft.
Security teams from companies around the world have begun patching a vulnerability made public last Thursday that allows remote code execution on vulnerable machines in a simple way. The exploit has been dubbed Log4Shell and is present in an open-source logging library widely used in Internet applications and servers called Log4j.
A log is a standard software process by which applications keep a record of all the events that take place during their operation so that in the event of an error it can be reviewed to identify the problem. Log4j is present in millions of Internet servers that now need to be patched quickly to prevent attacks by cybercriminals who can easily install malware by exploiting Log4Shell. To activate the exploit, the cybercriminal has to get the vulnerable software to save a special string of characters in the log. From that point on, the doors are open for cybercriminals.
Marcus Hutchins, security expert, pointed out that “this log4j vulnerability (CVE-2021-44228) is extremely dangerous. Millions of applications use Log4j for logging, and all the attacker needs to do is have the application log a special string (of characters). So far, iCloud, Steam, and Minecraft have been confirmed to be vulnerable.”
Hutchins delves into the case of the popular video game Minecraft, where attackers were able to remotely execute code on its servers by posting the instruction string required for the exploit in the game’s chat for Log4J to log. Other security reports also include the servers of companies such as Amazon, Twitter, and Cloudflare.
But it was precisely on the Minecraft game servers, already patched by Microsoft, that the exploit was first located in operation. Alibaba’s cloud security team reported the discovery to the Apache Foundation on November 24. Apache is the organization that develops such widely used software as the open-source Apache HTTP server and also the Log4J library, among many others. The foundation has taken two weeks to prepare an update to Log4j that fixes the vulnerability and has made it public by releasing the update. According to Apache, the versions of Log4J affected by Log4Shell range from 2.0-beta9 to 2.14.1. The new version released, now without the vulnerability, is 2.15.0.
Although large companies operating on the Internet have the ability to quickly patch their systems, the library is also often integrated into third-party software that can only be patched by its owners. The security company Grey Noise has claimed that it has already detected numerous servers looking for machines vulnerable to the exploit on the Internet.
John Graham-Cumming, CTO of Cloudfare, told The Verge that “this is a very serious vulnerability due to the widespread use of Java (programming language) and this Log4j package. There is a huge amount of Java ‘software’ connected to the Internet and in back-end systems. When I look back over the last ten years, there are only two other exploits that come to mind with similar severity: Heartbleed, which allowed information to be obtained from servers that should have been secure, and Shellshock, which allowed code to be executed on a remote machine.” For his part, Amit Yoran, CEO of the cybersecurity firm Tenable, defined it as “the biggest and most critical vulnerability of the last decade”, according to The Guardian.