Apache Log4j2 library vulnerability
On Thursday, December 9, 2021, a zero-day exploit was made public in the popular Java logging library Log4j. This is often used to create and store logging information from software, applications, hardware appliances etc.
Impacted versions of Log4j are 2.0 – 2.14.1, the vulnerability is fixed in versions 2.15.0 and 2.16.0
How big is the risk? This is a particularly dangerous vulnerability because the exploitation can be conducted remotely, it requires no authentication, and it can give full access to the server/device being attacked. Furthermore, it is trivial to exploit (using only a single line of code), and proof of concept attacks are already published online.
This log library is widely used, and is found in a wide range of appliances, and software from companies such as Apache Struts and Tomcat, Solr, Linux distributions, Blackberry Symantec, Apple etc.
Who’s most affected?
Unfortunately, there is no specific type of organization that is likely to be affected more than another, and it’s difficult for an individual business to see if they’re vulnerable. For example, while a customer might not have the vulnerability in their own version of the software they have written, it is entirely possible that appliances they use (such as VPN devices, cloud providers etc.) may have the vulnerability.
What should you tell your clients?
Key questions to ask your clients:
- Are you aware of the recent log4j vulnerability aka CVE-2021-44228 or log4shell?
- Have you assessed your exposure to it for internally developed applications?
- Have you spoken to your hardware/software/cloud vendors and assessed whether their services are impacted?
- Do you have a plan to deploy updates from outcomes of the questions above?
Further Reading
(Please note these are external links and are not endorsed or vetted by BOXX):
CCCS AV21-626 Apache Security Advisory
CERT United Kingdom – Alert: Active scanning for Apache Log4j 2 vulnerability (CVE-2021-44228)
CERT New Zealand – Log4j RCE 0-day actively exploited
Florian Roth – log4j RCE Exploitation Detection (Grep and YARA)
Greynoise IP List – CVE-2021-44228 Apache Log4j RCE Attempts
GitHub community resource identifying vulnerable applications
Related Posts
Sign up for the BOXX Insurance Newsletter
Get the latest updates about Cyber Insurance and Protection with our newsletter.