On Thursday, December 9th, researchers discovered a 0-day exploit (CVE-2021-44228) in Apache Log4j (version 2), the open-source Java logging library. It allows attackers to gain unauthenticated access to log messages and remotely control the affected servers, making this impact highly severe. The exploit was initially discovered in Minecraft; however, researchers have warned that cloud applications are also highly vulnerable. Admins have been left scrambling ever since news of this security flaw came to light.
Is Password Secure affected?
Password Secure is aware of this exploit and concludes that our software is NOT AFFECTED by this vulnerability. No action is required for customers using our supported software versions 8.10 or higher.
Another library used by Password Secure is the Log4js or Log4 Java Script. It has no relation with Log4j or Log4 Java and is NOT affected by the vulnerability.
Our security recommendations
For those using a version below 8.10, we urgently recommend updating to our latest version. We no longer provide support for version 8.9 and older, and being a critical component of system security, it is advisable to update your software.
If you use the Apache server for Password Secure: the issue has already been fixed, and therefore, we strongly recommend that you perform a server update.
What is Apache Log4j?
As part of the Apache Logging project, Apache Log4j is popularly used by enterprises and developers worldwide, with the library being an easy way to log errors.
“Many large software companies and online services use the Log4j library, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and many more. “
Why is CVE-2021-44228 just so dangerous?
Also called Log4Shell or LogJam, CVE-2021-44228 is a Remote Code Execution (RCE) class exploit. If attackers can gain remote access to any server, they can gain control of the company systems, install cryptominers, steal confidential data, and compromise networks.
“Developers use logging frameworks to keep track of what happens in a given application. To exploit Log4Shell, an attacker only needs to get the system to log a strategically crafted string of code. From there, they can load arbitrary code on the targeted”.
It can be as simple as setting this snippet as a harmless account username for hackers. Staying true to its nature, open-source software can be integrated wherever and whenever wanted and loiter around unprotected.
Who are at risk?
An untold number of organisations are already exposed to potential remote code attacks and at risk of compromising sensitive information. Smaller, less agile organisations that lack the necessary resources and security infrastructure will be the first to take the fall. Others may see this crop up in future penetration tests. Millions of Java applications and open-source software use Log4j in different forms, which means enterprises using cloud platforms and web applications can also be at risk. The ubiquity of Log4j is yet to unfold.
As of this minute, there already are alerts about malicious cryptominers and even botnets like Mirai, Tsunami, and Kinsing, leveraging the Log4j vulnerabilities to install crypto-mining malware. What’s frightening is that Log4j will go on to wreak havoc for the unforeseeable future. While the full severity of this exploit is still coming into view, the best solution, for now, is to stock up with security measurements to shorten the tail of impact and make necessary updates as latest as possible.