Tech companies across the world are under pressure to fix a software vulnerability that many cybersecurity experts are calling one of the worst to be discovered in recent years.
The vulnerability, known as Log4shell, was identified in Apache’s Log4j software library that helps developers keep track of changes in the applications they build.
The software flaw was first noticed on sites catering to the popular video game Minecraft, and was officially reported to Apache on 24 November by Chen Zhaojun of Alibaba, according to Crowdstrike.
But it soon became clear that the vulnerability had far-reaching implications since the software is ubiquitous, used in millions of applications across the internet, including Amazon Web Services, Apple’s iCloud, and the video game distribution service Steam.
Experts say the vulnerability can allow hackers to control java-based web servers and enable them to execute remote code execution (RCE) attacks, which they may use to take control of affected systems.
This log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string. So far iCloud, Steam, and Minecraft have all been confirmed vulnerable.
— Marcus Hutchins (@MalwareTechBlog) December 10, 2021
Major tech companies including Microsoft, IBM, Cisco, and Google, as well as government agencies such as the Cybersecurity and Infrastructure Security Agency (CISA) in the US have found that some of their services were vulnerable and issued advisories and guidelines on how best to tackle the threat.
There are already reports that hackers are mass scanning servers, and attempting to thumbprint and identify vulnerable systems, Microsoft noted in a statement.
The tech giant added that post-scanning, there have also been exploitation and post-exploitation activities observed.
Once hackers gain full access and control of an application, depending on the vulnerabilities the attackers exploit, they can also perform a myriad of objectives such as installing crypto coin miners, credential theft, and data exfiltration, Microsoft noted.
— NCIIPC India (@NCIIPC) December 13, 2021
“Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system,” CISA noted in a statement.
CISA director Jen Easterly said the vulnerability was already being “widely exploited by a growing set of threat actors”, adding that the agency was working closely with public and private sector partners in the US to proactively address the vulnerability.
“To be clear, this vulnerability poses a severe risk. We will only minimise potential impacts through collaborative efforts between government and the private sector. We urge all organisations to join us in this essential effort and take action,” Ms Easterly added.
Companies have strongly urged customers managing applications with Log4j2 to update to the latest version, or their operating system’s software update mechanism.
Microsoft-owned Minecraft noted that the exploit has been “addressed with all versions of the game client patched”. But it added that users would still need to take additional steps such as looking out for new software updates to secure the game and their own servers.
Cisco said several of its products, including the widely used Cisco Webex Meeting server, are vulnerable, adding that it is investigating if more of its applications are at risk.
Google said it is currently working with VMWare and would deploy fixes as they become available.
Since many organisations, especially in the developing world, do not have a clear audit of the software they use, experts say one of the biggest challenges in countering the threat would be in keeping track of the hundreds of millions of devices that are likely affected.
Apache Log4j 2.16.0 is now available. Thanks to the Apache Logging Services Project Management Committee (PMC) for working around the clock to get the release out so quickly!https://t.co/fCVZWwUgN6 #Apache #OpenSource #innovation #community #log4j #security pic.twitter.com/Odhf1xawYl
— Apache - The ASF (@TheASF) December 13, 2021
In its advisory, UK’s National Cyber Security Centre has advised all organisations to install the latest updates immediately wherever Log4j is known to be used.
“Affected UK organisations should report any evidence of compromise relating to this vulnerability to the NCSC via our website,” it added.