What has happened?

On the 9th December 2021 a critical zero day vulnerability was publicly disclosed, found in a widely used Java library (a library of ready-made code packages that programmers can use for solving common issues) known as Log4j. Reports state that the vulnerability had initially been reported to Apache in late November¹ . Referred to as 'Log4Shell', this vulnerability has left organisations around the world scrambling to resolve this vulnerability. First exploited on servers for the hugely popular game Minecraft² , the ubiquity of the Log4j library (commonly installed to monitor software usage in cloud and enterprise apps, and commonly incorporated into the world's most popular web server run by Apache¹) means that many, many platforms will be affected by this.

What is the impact?

The vulnerability, formally designated CVE-2021-44228, has been deemed critical by NIST³.  The wide use of this library, alongside the relative simplicity of the exploit, has resulted in a wave of activity around the world. John Graham-Cumming, CTO of Cloudflare, stated to the Verge that he can only think of two other exploits in the last decade with similar levels of impact⁴ (specifically Heartbleed, which allowed access to servers which should have been secure, and Shellshock, which allowed bad actors to run code on remote machines). There are reports of Apple iCloud and Steam⁵ , along with many other household names, being vulnerable to this exploit mechanism. In a tweet on 13th December 2021⁶ , Sophos reported that they had already detected hundreds of thousands of attempts to remotely execute code using this vulnerability, and that searches by other organisations "suggest the vulnerability may have been openly exploited for weeks."

The vulnerability allows bad actors to remotely execute code on a target machine, which could lead to the installation of malicious software (such as that used in ransomware attacks, which can be very costly both in terms of reputation and money for companies), the theft of private data, the complete takeover a machine, as well as other avenues of attack. Many different methods of exploiting this vulnerability are possible, with unconfirmed reports of it being integrated into twitter handles, web forms and even in-game chats (and a theory has even been posed that this could be exploited offline using a maliciously configured QR code).

The ramifications of this vulnerability are not yet clear. Given the length of time that this vulnerability could have been known about within (at the very least) limited portions of the black hat community, and the evidence from multiple sources of thousands upon thousands of attempts at exploiting this, we must consider the fact that over the coming weeks we will begin to learn the true fallout.

What can be done?

The NCSC (as well as many other parties) have issued advisories⁷  to organisations in order to mitigate the potential of this vulnerability. These steps include installing update versions anywhere Log4j is known to be used (and if this is not possible, making changes to the way the code works can mitigate the risks), as well as carrying out searches to find instances where it is used that users are not aware of. Multiple organisations have already taken action (a collated list of statements is being compiled on GitHub⁸ ), and software and service providers and vendors are being advised to contact their users directly with any advisories and instructions as necessary. 

Furthermore, the potential risk to users of affected organisations should also be considered. Given the possible breadth of this exploit, we should consider an almost inevitable increase in account takeovers, exploitation of personal and financial information alongside phishing and other scams.

References

1. MSN: Log4j vulnerability explained: What Apache security flaw means and how hackers could exploit Java servers
   https://www.msn.com/en-gb/money/technology/log4j-vulnerability-explained-what-apache-security-flaw-means-and-how-hackers-could-exploit-java-servers/ar-AARNVQz

2. Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet

https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/

1. CVE-2021-44228 Detail
   https://nvd.nist.gov/vuln/detail/CVE-2021-44228#vulnCurrentDescriptionTitle

4. ‘Extremely bad’ vulnerability found in widely used logging system
   https://www.theverge.com/2021/12/10/22828303/log4j-library-vulnerability-log4shell-zero-day-exploit

1. https://news.ycombinator.com/item?id=29499867
2. https://twitter.com/SophosLabs/status/1470213367142965254?s=20

7. Alert: Apache Log4j vulnerability (CVE-2021-44228)
   https://www.ncsc.gov.uk/news/apache-log4j-vulnerability

1. https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592