The log4Shell vulnerability, discovered by the Alibaba Cloud Security Team and disclosed by Kronos on December 9, 2021, has affected multiple versions of the Apache log4j 2 utility. The vulnerability (CVE-2021-44228, CVSS v. 10.0) affects Apache log4j 2 versions 2.0 and 2.14.1. According to Randori, “the vulnerability allows threat actors to execute unauthenticated remote code execution,” which means that “any scenario that allows a remote connection to supply arbitrary data that is written to log files by an application utilizing the Log4j library is susceptible to exploitation. This vulnerability is being exploited in the wild and thousands of organizations are impacted. This vulnerability poses a significant and active real world risk to affected systems—PLEASE TAKE IMMEDIATE ACTION.” (www.randori.com)
A second vulnerability was discovered on December 14, 2021. According to Unit 42 of Palo Alto Networks, exploitation of the vulnerability “was incredibly easy to perform” and “massive scanning activity for CVE-2021-44228 has begun on the internet with the intent of seeking out and exploiting unpatched systems. We highly recommend that organizations upgrade to the latest version (2.16.0) of Apache log4j for all systems” which will also patch the vulnerability found on December 14, 2021.
According to the Cybersecurity and Infrastructure Security Agency’s (CISA) alert on December 15, 2021: “Apache has released a security update to address a second severe vulnerability affecting its Log4j software library, which a remote attacker could exploit to cause a denial-of-service condition…. Affected organizations that have already upgraded to Log4j 2.15.0 will need to upgrade to Log4j 2.16.0 to protect against both vulnerabilities. Log4j is broadly used in a variety of consumer and enterprise services, websites, applications and operational technology products to log security and performance information….It is noted that this second vulnerability could cause a ‘denial-of-service’ condition. A cyberattack that interrupts or shuts down mission-critical medical technology could cause delays in health care delivery and risk patient safety. Thus, we strongly advise the field to expeditiously implement this second patch, and we urge the government to take immediate countermeasures against any cyber actor and their infrastructure identified as attempting to exploit these vulnerabilities.”
The bottom line right now is to patch as quickly as possible if you have not already done so and hope you have not already been compromised.