Security News > 2021 > December > Critical RCE 0day in Apache Log4j library exploited in the wild (CVE-2021-44228)
A critical zero-day vulnerability in Apache Log4j, a widely used Java logging library, is being leveraged by attackers in the wild - for now primarily to deliver coin miners.
Reported to the Apache Software Foundation by Chen Zhaojun of Alibaba Cloud Security Team, the bug has now apparently been fixed in Log4j v2.15.0, just as a PoC has popped up on GitHub and there are reports that attackers are already attempting to compromise vulnerable applications/servers.
The Apache Software Foundation says that in Apache Log4j2 versions 2.14.1 and earlier "JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled."
"The log4j vulnerability parses this and reaches out to the malicious host via the 'Java Naming and Directory Interface'. The first-stage resource acts as a springboard to another attacker-controlled endpoint, which serves Java code to be executed on the original victim. Ultimately, this grants the adversary the opportunity to run any code they would like on the target: remote code execution,".
"Many, many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable. Anybody using Apache Struts is likely vulnerable. We've seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach."
"If your organization uses Apache log4j, you should upgrade to log4j-2.1.50.rc2 immediately. Be sure that your Java instance is up-to-date; however, it's worth noting that this isn't an across-the-board solution. You may need to wait until your vendors push security updates out for their affected products," Hammond added.
News URL
https://www.helpnetsecurity.com/2021/12/10/cve-2021-44228/
Related news
- Apache issues patches for critical Struts 2 RCE bug (source)
- New critical Apache Struts flaw exploited to find vulnerable servers (source)
- Critical security hole in Apache Struts under exploit (source)
- Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected (source)
- Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)
- Apache warns of critical flaws in MINA, HugeGraph, Traffic Control (source)
- Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization (source)
- Mitel 0-day, 5-year-old Oracle RCE bug under active exploit (source)
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)