On Friday, 10, 2021, Chinese security researcher p0rz9 publicly disclosed the PoC exploit code for this issue and revealed that the CVE-2021-44228 can only be exploited if the log4j2.formatMsgNoLookups option is set to false.
Log4j is an open-source library widely used by both enterprise apps and cloud services, including Apple iCloud and Steam.
A remote, unauthenticated attacker can exploit the CVE-2021-44228 to execute arbitrary code on a vulnerable system leading to a complete system takeover.
The vulnerability was discovered by researchers from Alibaba Cloud’s security team that notified the Apache Foundation on November 24. According to the experts, the vulnerability is easy to exploit and does not require special configuration, for this reason, it received a CVSSv3 score of 10/10. Researchers pointed out that Apache Struts2, Apache Solr, Apache Druid, Apache Flink are all affected by this vulnerability.
Open-source projects like ElasticSearch, Elastic Logstash, Redis, and the NSA’s Ghidra also use the library.
IT giants like Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, and NetEase are running servers potentially affected by the issue.
Security experts are already observing mass scanning activity for this vulnerability.
Today Canadian Minister Responsible for Digital Transformation and Access to Information Eric Caire confirmed the decision of the government to shut down the sites that are being scanned for potentially malicious purposes resulting from the exploitation of the Log4Shell flaw.
The government closed 3,992 sites including the education and higher education ministries’ sites.
“On Friday the 10th, we received, like everyone else on the planet, a status report on a computer security flaw that affects many systems,” Caire explained in a news conference. “We need to scan all of our systems,” said Caire. “We’re kind of looking for a needle in a haystack.”
The Minister explained that it is a preventive measure and they are not aware of any security breach caused by the exploitation of the issue.
“It’s a decision preventive not reactive,” added Caire.
Some of the sites that have been tacked offline are back online.
(SecurityAffairs – hacking, Log4Shell)