Last week, a critical vulnerability (renamed “Log4Shell”, “CVE-2021-44228”, or “LogJam”) was discovered by several cybersecurity researchers at the library Apache Log4j that millions of Java applications use to save error logs. The vulnerability, unfortunately, concerns hundreds of millions of devices: if exploited correctly, it allows an attacker to execute arbitrary code and, potentially, to take full control of a system.
A vulnerability that can also be exploited by inexperienced hackers
CVE-2021-44228 a class vulnerability Remote Code Execution (RCE) which received top marks for enabling remote code execution without authentication. In addition to involving an impressive number of services/software, this vulnerability has already been exploited by hackers (the first attacks date back to December 2).
All products using this library (from version 2.0-beta9 to 2.14.1) are exposed to this new CVE. What makes CVE-2021-44228 so dangerous is the ease of exploitation: even a novice hacker can successfully execute an attack by exploiting this vulnerability. In fact, attackers simply have to force the application to write only a string to the registry and then upload their code to the application through the message search override function. In this way, hackers can transfer information to a server controlled by them, leading to the execution of arbitrary code or a leak of confidential information or other large-scale attacks.
Evgueni LopatinKaspersky’s security expert commented: “What makes this vulnerability particularly dangerous is not only that attackers can gain full control over the system, but also how easy it is to exploit. Even a novice hacker can take advantage of it. Software to exploit with this CVE. However, the good news is that a reliable security solution can protect users.”.
To protect yourself from this new threat, Kaspersky experts recommend downloading the pi version recent from the library. In case it is not possible to update the version, a number of are available on the Apache Log4j 2 site methods mitigation to manually block this vulnerability. For example, users of Java 8 (or later) should upgrade to 2.16.0; those with Java 7 need patch version 2.12.2 (coming soon); in other cases it is necessary to remove the classSearchJndi from the class path: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.