A simple to use exploit that can be used for remote code execution and to gain full control over millions of vulnerable enterprise systems through a Java logging library is currently being abused in large numbers, researchers warn.
The bug lies in Apache Foundation's open source Struts Log4J logging utility, in version 2.14 and earlier.
It is caused by the Java Naming and Directory Interface (JNDI) application programming interface not protecting against lookups at attacker-controlled by endpoints, including ones that use the Lightweight Director Access Protocol (LDAP).
When a vulnerable application writes to a log file, the default Log4j configuration means the library looks up a server which, if an attacker controls it, can be set to send a malicious response from that system.
The response can contain a remote Java class file which is injected into the server process and executed with the same privileges as the vulnerable application using the logging library.
And yes, you can google pretty much any big InfoSec vendor with log4j and find.. things. pic.twitter.com/nHIHg5jt5H
— Kevin Beaumont (@GossiTheDog) December 10, 2021
A proof of concept was published on Twitter and on Github, and the vulnerability is rated as a full 10 out of 10 possible on the common vulnerability scoring system (CVSS).
Computer emergency response teams around the world are now reporting active exploitation of the bug by automated systems.
Researchers have so far confirmed that Apple's iCloud service, Valve's gaming platform Steam, and Microsoft's popular Minecraft game are vulnerable to the bug, which is named Log4Shell.
In Minecraft, testers have reported they've been able to trigger the bug by pasting the exploit string into a chat window.
The vulnerability could also be used to deanonymise The Onion Router (TOR) servers, CyberCX executive director of security testing and assurance Adam Boileau explained.
“Step one of exploiting it is making the victim Java runtime make an outbound connection to get to the second step, and which might be a system outside TOR,” Boileau said.
“The second step provides arbitrary code execution, so at that point you can do anything,” he added.
“At that stage, [the attacker] can see the whole server and find out all the things."
The Apache Foundation has issued log4j version 2.15.0, which is not vulnerable to Log4Shell by default.
Administrators with older Log4j versions can also turn off the message lookups triggering the arbitrary code execution bug.
Chen Zhaojun of Alibaba's Cloud Security Team is credited with having found the bug.
