The IT Nerd

A new actively exploited vulnerability has been discovered and sysadmins around the world are scrambling to patch all the things. MalwareBytes has a very good description of this here, but here’s the highlights:

If you’re running a service that relies on Apache Struts or uses the popular Apache Log4j utility we hope you haven’t made plans for the weekend.

An exploit listed as CVE-2021-44228 was made public on December 9, 2021. The exploit is simple, easy to trigger, and can be used to perform remote code execution (RCE) in vulnerable systems, which could allow an attacker to gain full control of them. All an attacker has to do is get the affected app to log a special string. For that reason, researchers have dubbed the vulnerability “Log4Shell”.

The vulnerability has a CVSS score of 10.0 out of a possible 10. It impacts Apache Log4j versions 2.0-beta9 to 2.14.1. Mitigations are available for version 2.10 and higher.

Log4j is an open source logging library written in Java that was developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular—such as iCloud, Steam, and Minecraft—so the potential reach of this problem is enormous.

I can say that many companies are scrambling to patch the vulnerability via asking my friends “off the record”. I have to assume that it includes Steam and Apple as they are specifically called out as being vulnerable. That’s because it is being actively exploited. Thus making this is as non trivial as “non trivial” gets.

Yikes!

This entry was posted on December 10, 2021 at 2:43 pm and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.