The situation

An exploit code has been released for a serious code execution vulnerability in Log4j, an open-source logging utility used in countless websites and apps, including those used by large enterprise organisations.

Technical summary

Title of threat: Log4Shell
Date threat first identified: 09/12/21 on sites catering to users of the video game Minecraft
Associated CVE Number(s): CVE-2021-44228
Risk Severity: Critical – 10/10

  • Log4J is a widely used, open-source Java-based logging tool available from Apache. Many applications use Log4J, and it is present as a dependency in many services, including enterprise apps and numerous cloud services.
  • This vulnerability is found in Apache Log4j2 versions 2.0 through to 2.14.1.
  • A patch has been released by Apache, which is an updated version of Log4J, version 2.15.

Risk to the customer

Log4J can perform network lookups using the Java naming and directory interface to obtain services from the lightweight directory access protocol. The end result: Log4j will interpret a log message as a URL, go and fetch it, and even execute any executable payload it contains with the full privileges of the main program. Exploits are triggered inside text using the ${} syntax, allowing them to be included in browser user agents or other commonly logged attributes.

Researchers report seeing this critical and easy-to-exploit vulnerability being used to install crypto-mining malware, bolster Linux botnets, exfiltrate configurations, environmental variables, and other potentially sensitive data from vulnerable servers.

What you need to do

  1. Find all code in your network written in Java and check whether it uses the Log4j library.
  2. Update Log4J to version 2.15.0

For any further questions, please feel free to contact us.

External supporting references (URL, IOCs etc.):