Severe Vulnerability Discovered in Java Logging Package – Log4j

Code for ethical hacking and security testing

Some of you may know, a severe vulnerability was discovered in Log4j, a Java logging package. This ubiquitous package is included in products such as Apache and Apple products. Worse yet, this component is so widely used — that it is believed to be within multiple components within applications.

This means that security teams worldwide are likely to be dealing with this vulnerability for a while, for years possibly. The following products are known to be affected:

  • Apple
  • Twitter
  • Steam
  • Tesla
  • Apache applications (e.g. Apache Struts, Solr and Druid)
  • Redis
  • ElasticSearch
  • Video games (e.g. Minecraft)
  • UniFi controller platform

The impact:

The severity cannot be stated enough, exploitation can be as simple as a copy and paste of a payload. An attacker who exploits this vulnerability can gain remote access to vulnerable endpoints. This gives the attacker a foothold on a network to gain high-level privileges, on a mission-critical server, or could potentially result in a network-wide compromise.

Furthermore, this vulnerability is being actively scanned for and there are reports of active breaches involving strains of malware. Whilst there are not any high-profile reports of ransomware — it is only a matter of time.

The remediation:

Those running products with vulnerable Log4j versions should upgrade to version log4j-2.15.0.rc2 immediately. In addition, it is highly recommended to read the resource labelled “Technical information.” Huntress created a tool to identify Log4j in applications. Additionally, information is being added to their article as it is discovered.

Sources and References:

Risk Crew