If any of your systems are using the Apache Log4j logging framework then you need to review and patch immediately
Hackers are already attempting to exploit a discovered bug, with automatic tools actively scanning the internet for vulnerable systems, and worms deployed ready to infect systems and take remote control.
Log4j, is a commonly used open source Apache logging framework, that can be used to keep a record of activity across a system. Based on the Java programming language Log4J is in broad use in enterprise systems and web apps.
Last week Microsoft, advised all users of the Java version of Minecraft to install a new version as “This vulnerability poses a potential risk of your computer being compromised”, after the vulnerability was used to execute code on Minecraft servers.
But it goes way beyond Minecraft
As Log4j is designed to record activity, all an attacker has to do to exploit the flaw is send a specific malicious code string that eventually gets logged; This subsequently allows the attacker load remote access Java code on the server, allowing them to take control.
Described by security researchers a “A design failure of catastrophic proportions”, the exploit code can be sent via chat functions, as has been shown by players in the Minecraft chat function, changing your social media or device name to display the code strings could trigger the exploit, and even sending an email to the appropriate logging address.
Cybersecurity agencies around the globe are issuing advice including the UK's NCSC, the United States CISA agency, and New Zealand's CERT noted that the vulnerability is reportedly being actively exploited.
Apache rates the CVE-2021-44228 vulnerability as “critical” severity, and affects versions of Log4j before 2.14.1; Temporary mitigations were published on 10 Dec 2021, advising all who can to upgrade to Log4j version 2.15.0, or restricting system properties as a temporary remediation until you can apply the patch from a stable version.
If you are running legacy software or older versions of Java then the patches available may have to be modified prior to implementation and due to the nature of Log4j, deactivating may not be recommended as logging capabilities are needed to watch for exploitation attempts.
Many cloud platforms including Elasticsearch, Steam, iCloud as well as Minecraft rely on Log4j as the default logging utility, so will require updating of the entire Log4J library system during one of the busiest times of the year, meaning organisations may not have the time or resources to patch the issue.
The situation underscores the challenges of managing risk within a business, and many organisations should look to external expert Managed Service Providers to assist implementing fixes and securing your IT environment.