Log4Shell threat: cloud services must urgently update their logging software
The source of the vulnerability is Apache’s java-based logging utility Log4J, which is widely used in many applications and is present in many services as a dependency.
This includes enterprise applications , including custom applications developed within an organisation, as well as numerous cloud services.
A vulnerability in the software – which has become known at Log4Shell – was first reported last Thursday when it was exploited in the online game Minecraft.
However, experts warn that it is emerging as a major global threat and cyber security experts have already awarded it with the highest possible severity rating of 10 – based on the Common Vulnerability Scoring System (CVSS).
The open source tool Log4J works by interpreting a log message as a URL, feeding it into the system and executing it with full privileges to the main program.
If attackers manage to exploit Log4J’s vulnerability via a server, they are able to gain the ability to execute arbitrary code and potentially take full control of the system.
Security firm Kaspersky has said that what makes the vulnerability so dangerous is its ease of use. In a blog on its website, published on Friday it observed:
“Even an inexperienced hacker can successfully execute an attack using this vulnerability…attackers only need to force the application to write just one string to the log, and after that they are able to upload their own code.”
Working proof of concept (PoCs) for attacks have already been shard among hackers and would-be-hackers on the internet and there have already been reports of this easy-to-exploit vulnerability being used to install crypto-mining malware and to bolster Linux botnets.
The UK’s National Cyber Security Centre is advising organisations to take steps to mitigate the Apache Log4j 2 vulnerability by installing the latest updates of Log4J as soon as possible.
“If you are using the Log4j 2 library as a dependency within an application you have developed, ensure you update to version 2.15.0 or later.”
According to NCSC, version 1 of the Log4j library is no longer supported and has already been affected by multiple security vulnerabilities.
The organisation adds that the flaw can also be mitigated in previous releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.
The NCSC recognises that it is not always easy for organisations to identify which applications use Apache Log4j 2 software and advises vendors of any affected software to “communicate urgently with their customers to enable them to apply mitigations of install updates where they are available.”
It was reported on Friday that Microsoft has already issued a patch for Minecraft users. Further guidance from Microsoft, published on Friday, can be found here.
Subscribe to our Editor's weekly newsletter