According to multiple sources, hackers are already testing exploits for this weakness, which provides them access to an application and might allow them to run malicious software on a device or servers. But what exactly is the Log4Shell flaw, and who is affected?
The vulnerability was discovered on December 9, while some accounts claim it was found on December 1 and was highlighted by Chen Zhaojun of Alibaba Cloud Security. The flaw is known as Log4Shell and has the CVE ID CVE-2021-44228 (CVE number is the unique number given to each vulnerability discovered across the world).
The issue affects Log4j 2 versions, a popular logging library used by applications worldwide. Logging allows developers to see all of an application’s activity. Apple, Microsoft use this open-source library, Google, and enterprise applications from Cisco, Netapp, CloudFare, Amazon, and others.
The open-source Apache Log4j library has received over 400,000 downloads from its Github repository, according to cybersecurity firm Check Point. The flaw is significant because it might allow hackers to take control of Java-based web servers and launch remote code execution (RCE) attacks. To put it another way, the flaw might allow a hacker to take control of a system.
Rahul Sasi, founder of AI-based Digital Risk Management and Cybersecurity firm, CloudSEK, said about the issue, “Log4Shell is a vulnerability which is going to have a tremendous impact, it can be considered as the most critical bug of 2021, Threat actors have been comparing it to Eternal Blue, Shellshock and Heartbleed. The vulnerability is easy to exploit on a large scale as almost 90% of the JAVA applications use the Log4j utility. It is important to remember the fact that even though an organisation has patched their infrastructure, they might already be infected. So, Monitoring and Minimizing will be very important in the coming months.”
Minecraft, which Microsoft owns, was one of the first to recognise the problem, issuing a statement stating that the Java edition of the game was at serious risk of being hacked. According to the company’s statement, the issue has been resolved with all versions of the game client patched, but players will still need to take additional actions to secure the game and their servers.
Google stated that it is “currently analysing the possible implications of the vulnerability for Google Cloud products and services” in a statement. This is a continuing issue, and we will continue to offer updates to our customers through our various lines of contact.”
Cisco has confirmed that some of its devices are vulnerable, including the widely used Cisco Webex Meeting server, and it is looking into whether there are any others. Cloudflare, a web infrastructure provider, has also issued a statement urging clients to update Log4j versions and apply the updated software patchware. VMware, an enterprise software company, published a statement stating it, too, has witnessed exploitation attempts and that the hole affects some of its core products. Apple has yet to comment on the situation.