According to security researchers, a 0day vulnerability detected in java logging library Apache Log4j could lead to a complete server takeover and leave countless applications vulnerable, a vulnerability that was first detected in the game Minecraft.
According to a bulletin by CERT New Zealand, the unauthenticated remote code execution vulnerability ( classified as a critical vulnerability and traced as CVE-2021-44228 ) is being actively exploited and proof-of-concept code has been published.
CERT NZ said systems and services that use the Java logging library Apache Log4j between versions 2.0 and 2.14.1 (including many applications and services written in Java" are vulnerable.
In order to prevent being attacked, they urgently recommend that users upgrade the Log4j version to Log4j-2.15.0-rc2.
In an alert released Friday, the U.S. Cybersecurity and Infrastructure Security Agency said users and administrators are encouraged to review the Apache Log4j 2.15.0 bulletin and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.
The vulnerability was initially discovered in the game Minecraft, but cloud applications, including those widely used across the enterprise, are also still vulnerable. This includes software, web applications and products from Apple, Amazon, Cloudflare, Twitter, and Steam.
"It's a worst-case scenario," said Casey Ellis, CTO of security firm Buggrowd, "and it's going to be a long weekend for a lot of people." ”
According to Cyber Kendra, Alibaba Cloud's security team first reported the vulnerability to Apache on November 24.
Experts at security firm Randori said the breach could affect "thousands of organizations" and pose a significant real-world risk to the affected systems.
Rob Joyce, a former White House Homeland Security adviser and current NSA cybersecurity director, spoke about Log4j on Twitter, saying, "Even the NSA's GHIDRA, an open source reverse engineering tool, is a significant threat due to the widespread use of software frameworks." ”
LunaSec CEO Free Wortley and developer Chris Thompson said in a blog post that similar vulnerabilities have been exploited before, such as the 2017 Equifax data breach, which exposed sensitive information to about 143 million U.S. consumers.
"In fact, any application that allows remote connections using the Log4j library is vulnerable to exploitation of arbitrary data written to log files," the Randori attack team said.
John Hammond, a senior security researcher at Huntress, said in a blog post: "Log4j packages may be bundled with any given vendor that you use. Unfortunately, in this case, the vendor itself needs to push the security update downstream.
This vulnerability has no obvious goal, and depending on other factors of access control and security posture, this could lead to compromises in the future for businesses – whether it's cryptocurrency miners, or victims of ransomware.
The dreaded warning also serves as an example of the importance of detection and response capabilities and exposes the risks embedded in traditional security program strategies, said Tim Wade, former cyber and security technology manager for the U.S. Air Force, who is currently the technical director at Vectra AI.
"When evaluating your own risk and threat model, consider the components of the software you use, especially those that are publicly accessible," Hammond says.
The original text is transferred from databreachtoday, the author Dan Gunderman, super technology translation, cooperative site reprint please indicate the source and the original translator is super technology!
Hi, I'm Super Tech
Super Technology is an information security expert, capable of unlimited defense against DDos attacks and CC attacks, Alibaba Cloud strategic partner!