- A previously unknown vulnerability called Log4Shell is being patched across large and small companies.
- Millions of applications use Log4j, and this zero-day allows an attacker remode code execution and malware deployment.
- At the moment, Mincraft, Steam, and iCloud have been confirmed vulnerable.
Security teams at large and small companies are patching a previously unknown vulnerability, which was publicly released early Friday morning and could allow hackers to take over millions of devices on the internet. Log4Shell is a zero-day vulnerability in Apache Log4j's Java-based logging platform that lets an attacker remotely change their browsers' user agent to a particular string to execute a command on a vulnerable server and also deploy malware.
There are thousands of apps and services that use the Log4j open-source logging library. Since there is a logging process for nearly every network security system, Log4j is popular. Despite the Log4j 2.15.0 update, threat actors already managed to exfiltrate data, install malware, or take over the vulnerable servers.
Security Researcher Marcus Hutchins said on Twitter that millions of applications use Log4j and that an attacker has to get them to log a special string. Steam, Minecraft, and iCloud are confirmed to be susceptible to remote code execution (RCE) at the moment.
Amazon, Apple, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and video games such as Minecraft use Log4j as a logging package. For example, attackers have used specially crafted messages pasted into the Minecraft chat box to gain remote code execution access.
Bharat Jogi, senior manager of vulnerabilities and signatures at Qualys, said that the Apache Log4j zero-day vulnerability is probably of high severity, probably the most critical one Qualys has seen this year.
The GreyNoise reported numerous internet search engines looking for vulnerable machines. Cloudflare reported monitoring 20,000 exploit requests per minute at 6:00 PM UTC on Friday, most of which originated in Canada, the US, Netherlands, France, and the UK.
Due to the range of delivery mechanisms and the diversity of applications vulnerable to exploits, there are still risks involved. The exploit can be carried out physically rather than directly over the internet by hiding the attack string in a QR code scanned by a package delivery company. Log4Shell remains a threat until all vulnerable machines are updated.
There is a fully automated and extensive scanner available on GitHub for finding log4j RCE (CVE-2021-44228), which is ideal for companies to scan their infrastructure and also test for WAF bypasses.