There's a particularly nasty vulnerability stalking the internet. It's called CVE-2021-44228 and it's making heads spin on shoulders the world over.First discovered, or at least reported, at the end of November, CVE-2021-44228 is a software vulnerability that allows remote code executions via the Apache Foundation's Log4j.
What is Log4Shell?
Log4j is an open-source Java library that is used extensively in both open-source and commercial software. Log4j is primarily used for sending text strings that are stored in log files and databases.
It can be used to track website visitors, notify engineers when warnings or errors happen, etc. Unfortunately, Log4j isn't limited to log plain strings. It also allows for formatted text strings that can be executed as code.
The vulnerability allows attackers to control log messages or log message parameters. This means they can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
The Bigger Problem
It's bad enough that attackers can execute arbitrary code via CVE-2021-44228. It's even worse when you realize Log4j is used widespread, meaning pretty much anyone using it is vulnerable. On top of that, if exploited correctly, attackers can do almost anything they want.
Is There a Solution?
Thankfully, there is. Apache released Log4j 2.16.0 on December 13th. An earlier fix was released on December 6th (2.15.0) but that was hampered by a CVE related to the issue (CVE-2021-45046).
There's currently a curated list over at GitHub that documents the software currently vulnerable to CVE-2021-44228. It's...massive. Thankfully it's being updated with patch information as it becomes available.
If anything the list helps paint the picture of how HUGE the impact is for this CVE. It's almost unimportant that there's a fix as it's going to potentially take months for people to patch their software (for a variety of reasons, not just sloth. I had to say that before anybody started pointed fingers).
I predict we haven't seen the end of this so keep coming back. We'll be updating the blog with more information when available.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.