Clients of OneCall have been advised about the risk being presented by the ‘Log4jShell’ vulnerability, which is impacting some of the world’s largest technology companies including Apple, Amazon, Cloudflare and Tesla, along with banks including the ANZ and thousands of other organisations.
The vulnerability was first discovered by the Alibaba Cloud Security team on November 24, with a proof of concept posted on Github on December 9. CertNZ picked up the issue and communicated it to organisations throughout the country and around the globe through their advisory on December 10, 2021.
The widely-used java logging library, Log4j, has an unauthenticated remote code execution (RCE) and denial of service vulnerability if a user-controlled string is logged. This could allow the attacker full control of the affected server or allow an attacker to conduct a denial of service attack.
Reports from online users show that this is being actively exploited in the wild and that proof-of-concept code has been published.
This CERT NZ advisory has now been updated several times as companies move to patch the vulnerability and updated patches were released by Apache.
Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java.
The vulnerability was first discovered in the online gaming platform Minecraft but researchers warn that cloud applications are also vulnerable. It’s also used in enterprise applications and it’s likely that many products will be found to be vulnerable as more is learned about the flaw.
The impact is wide-scale as Log4j is a common logging library used across most Java applications, including in business systems to record log information.
There are a few factors that increase the likelihood of widespread exploitation: The vulnerability is an RCE that’s existed for a long time, the library is widely deployed, and even unskilled attackers could trigger it.
Basically, ransomware operators who were hoping to catch enterprise teams off guard during the holidays just received the perfect gift. A cryptominer has already reportedly been deployed that leverages the vulnerability, appearing less than 24 hours after a Proof of Concept was released.
How did we respond?
As soon as OneCall received notice of the problem, our engineers quickly moved to identify which of our clients were at risk and take steps over the weekend to mitigate any potential impact and inform our client base to be aware of any potential issues that might arise going forward.
The primary concern is that despite patches being applied, this vulnerability is likely to still be present across a wide range of applications, meaning that over time businesses may be vulnerable to attackers using this weakness as their entry point to servers – providing the ability to take control of servers.
In some cases, attackers may successfully gain access using this vulnerability and then take some time before implementing their attack, gaining access to customer data and other critical information that can then be used to cripple a system or extort payment in exchange for not publishing large amounts of private customer information – just as one example.
If you are concerned about how your organisation might be impacted, or need IT support in relation to Log4j, please get in touch with the OneCall team – we are happy to provide consulting services and any additional support you may need.