The U.S. government and cybersecurity professionals are issuing dire warnings over a newly discovered remote code execution vulnerability in the popular Java logging tool, Log4j, that could give an attacker unfettered access to a compromised system.
The vulnerability in the widely used Log4j system, maintained by the Apache Software Foundation, is particularly dangerous given the sheer amount of applications using the tool and the relative simplicity of exploitation. It is the most popular Java logging library with over 400,000 downloads from its GitHub project, and “millions” of other products use it.
Nearly every large provider of IT products and services are impacted, including VMWare, Cisco, Microsoft, Amazon, cybersecurity providers, and others.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has pledged to release a list of affected products and vendor advisories. However, others have already jumped the gun and released a long list of vendors and their responses to the vulnerability.
According to CISA, the vulnerability impacts Log4j versions 2.0-beta9 to 2.14.1, specifically in the action the Java Naming and Directory Interface (JDNI) takes to resolve variables. Affected versions of the tool contain JDNI features such as lookup substitution that do not protect against adversary-controlled LDAP and other JNDI related endpoints.
“An adversary can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code,” read the agency’s advisory. “The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity.”
Paul Ducklin, principal research scientist at cybersecurity firm Sophos, says the vulnerability allows a malicious user to send a request to a vulnerable server that includes some data—like an HTTP header—that the server is expected to write to its logfile.
In an interview with CI sister site My TechDecisions, Ducklin said that data can be booby trapped to include malware and help a threat actor establish a presence in a target network.
“What you end up with is something that was supposed to be a super flexible, fantastic, exceptional feature in a widely used logging program that actually turns into an explosively dangerous exploit,” Ducklin says. “You’re taking untrusted data that came from a user, assuming you can do magic things with it. Unfortunately, you’re putting the loggee in charge of the logger. Since the loggee can be anywhere in the world with a traditional server, that’s very bad indeed.”
For any business, this means scanning your IT environment for any instance of vulnerability and upgrading to the latest version of Log4j or applying patches from technology vendors.
For the AV integration community, extra attention should be placed on tools used to remotely manage customers’ AV systems, as several such vendors have acknowledged having affected products and have since released patches.
The true list may be massive given how popular Log4j is, but some AV-aligned vendors to publicly acknowledge they have impacted products include Cisco, ConnectWise and others.