Friday, December 17, 2021

Log4Shell Vulnerability - Details

What happened?

On December 9th, 2021, a zero-day exploit in the popular Java logging library “Log4J” (version 2) was discovered and widely publicized. The vulnerability can be used to execute code remotely, by tricking a system into logging a specific malicious string.

More technical details of this vulnerability can be found at this third-party resource

Who is impacted?

Many, many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable.

An extensive list of responses from impacted organizations has been compiled here.

Anybody using Apache Struts is likely vulnerable. We've seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach.

Many Open Source projects like the Minecraft server, Paper, have already begun patching their usage of log4j2.

What is required of app developers?

Version 2.15.0 of the log4j library has been released, without the vulnerability. This release can be downloaded from Apache's official Log4j page, or from your language's package manager (Maven Central for example). App developers must immediately update any apps and integrations that use the Log4J Java library. Failure to do so may result in merchant data being compromised, and will put your application in violation
If upgrading is not possible, using the suggested temporary mitigation will also decrease the impact of the vulnerability. Common software solutions that may need patching or reconfiguration include Apache Solr, Apache Lucene, ElasticSearch, and other Java/JVM-based supporting applications