Executive Summary
Apache Log4j, dubbed CVE-2021-44228, is an open-source logging utility in almost all major Java-based applications and servers. Currently running on 3 billion devices worldwide, Log4j has been exposed to a high-risk vulnerability underactive and vigorous exploitation. As of December 10th, nearly 10,000+ attacks exploiting this vulnerability have been discovered and that number continues to proliferate. The zero-day exploit named “Log4Shell” affects all industries and has impacted several popular services, including Apple iCloud, Twitter, Steam and Minecraft.
The exploitation of this vulnerability is simple and only requires the attacker to enter a piece of code into the target triggering the vulnerability, allowing the attacker to remotely control the user victim’s server.
“In the case of Minecraft, attackers were able to get remote code execution on Minecraft servers by simply pasting a short message into the chatbox.”
— Marcus Hutchins @MalwareTechBlog
Mitigation | Recommendations
- If possible, update to Log4j version 2.15.0
- Flip setting for versions log4j 2.10.0 and up
- Setting log4j2.formatMsgNoLookups to True
- This is done by adding -Dlog4j2.formatMsgNoLookups=true in the JVM command line
- Disable LDAP lookups
 |
Updated Alert Available Read the Update |
For additional information, contact:
Dan Gregory
VP | System Engineering, CBI
dgregory@cbisecure.com | 313.649.4611
References
- https://twitter.com/MalwareTechBlog/status/1469291924733390848
- https://raidforums.com/Thread-Apache-Log4j-explodes-with-high-risk-vulnerabilities-comparable-to-eternal-blue-ne
- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/
- https://twitter.com/GossiTheDog/status/1469374550441869323?s=20
