According to the Associated Press reported on December 11, China's Alibaba Cloud security team found a vulnerability in Log4j, an open source logging component under the web server software Apache. The existence of this vulnerability allows network attackers to access network servers without passwords.
Cybersecurity experts believe the vulnerability is potentially extremely harmful, and may even be "the biggest vulnerability in computer history." Cloud services including Apple, Samsung, and Steam could all be affected. The Apache Software Foundation has ranked the severity of the vulnerability as the highest.
The latest warning issued by the Alibaba Cloud team on December 10
The incident began on the 24th of last month, when a member of The Alibaba Cloud team in China disclosed the vulnerability to Apache. Subsequently, official computer emergency response teams in Austria and New Zealand took the lead in providing early warning of the vulnerability.
New Zealand said the vulnerability was being "aggressively exploited" and that proof-of-concept code had also been released.
The vulnerability exposed this time, which exists in the Java logging framework of Log4j, is widely used in various applications and network services, and is an in-program recording tool that saves the process of executing activities and facilitates checking when problems occur. Almost every network security system utilizes some kind of logging framework for logging, which also makes Log4j widely influential.
Joe Sullivan, chief security officer at cybersecurity management firm Cloudflare, said the vulnerability allowed a malicious attacker to "remotely execute code" to gain access to other systems, which could be the "biggest vulnerability" to date given the widespread use of the Log4j software.
By the 10th of this month, the alarm was further expanded. On the same day, Microsoft's game Minecraft issued an announcement that the Java version of the game is vulnerable to attack and advised users to take immediate measures to solve the security problem. Players can execute programs on other players' computers by pasting messages in the game chat box.
On the same day, Sullivan said the company had found a spike in malicious users using the vulnerability "in the last 6 to 10 hours."
Researchers at data security platform LunaSec found evidence that Steam, as well as Apple's cloud services, were affected, while Palo Alto Network noted in a blog post that Twitter and Amazon were also attacked.
Experts have warned of the potential harm of the vulnerability.
Adam Meyers, senior vice chairman of cybersecurity company Crowdstrike, said that on the morning of the 10th US time, hackers had "fully weaponized" the vulnerability and developed tools to use the vulnerability to distribute to the outside world. He described "the internet is on fire right now," with criminals and hackers scrambling to exploit the vulnerability, while cybersecurity personnel at major agencies are racing against the clock to patch it.
Amit Yoran, CEO of Tenable, another cybersecurity company, called Log4Shell "the largest and most critical single vulnerability of the last decade" and perhaps even "the largest in the history of modern computers."
The Associated Press commented that the vulnerability may be the most serious computer vulnerability found in recent years. Log4j is "ubiquitous" in cloud servers and enterprise software used across the industry and in government. Unless fixed, criminals, spies, and even novice programmers can easily use this vulnerability to break into internal networks, steal information, implant malware, delete critical information, and so on.
The Apache Software Foundation has ranked the severity of the vulnerability as the highest on a scale of 10.
Foreign social media users explain the importance of Log4j in the form of memes
At present, major companies have begun to work on fixing this vulnerability. According to McAfee, the world's largest cybersecurity company, the most important and complete mitigation is to update log4j to stable version 2.15.0.
In the future, McAfee also plans to use additional services such as DNS to test changes to the vulnerability. We may update this document accordingly based on results. Meanwhile, McAfee Enterprises has released a network signature KB95088 for customers exploiting the NSP (Network Security Platform), which detects attempts by attackers to exploit the vulnerability.
On December 10, the Alibaba Cloud security team issued an announcement that it found that there was a vulnerability bypass in the Apache Log4j 2.15.0-rc1 version, please update to the official version of Apache Log4j 2.15.0 in time.
This article is an exclusive manuscript of the Observer Network and may not be reproduced without authorization.