Introduction
Attackers are actively exploiting a remote code execution vulnerability found in the logging package log4j2 which is used in most Java applications. A program is vulnerable if it logs user input using the log4j2 package: the most popular logging solution used within Java. Since developers tend to log almost everything for debugging purposes, almost all applications will log user input.
The Attack
All an attacker has to do is send a single line of text to a vulnerable application. Once the application logs this line of text, the payload inside the text will be retrieved by the system and executed. The attacker will be able to remotely execute code on the computer hosting the application. There are already multiple proof of concepts of the attack available on the internet. The vulnerability doesn't only affect systems directly connected to the internet, but also backend systems. If attackers attempt to exploit the vulnerability on web servers, it's possible that this exploit will end up at backend servers. If any of these backend servers contain a vulnerable Java application processing user input it could result in an attacker executing code on your backend servers.
Vulnerable versions
All versions starting from 2.0-beta9 till 2.15 of the package log4j2 are vulnerable. log4j versions 1.x aren't vulnerable, but have reached end of life since August 2015 and should therefore not be considered as safe.
Mitigation
- Update log4j2 to version 2.17.0 or higher (requires access and restart). Versions for older Java versions (6 or 7) are available on the Apache.org website.
If you cannot update your log4j2 library, there are some mitigation options available. The Apache.org website has a list here.
Affected products
This vulnerability may affect you in several areas. Products you use may be affected, but also applications developed internally and SaaS applications in the cloud. Most major SaaS vendors have taken appropriate measures by now.
Hundreds of products are vulnerable to the Log4Shell vulnerability. Affected vendors include FortiNet, Dell, Apache, Microsoft, N-Able and VMware. The National Cyber Security Centre (NCSC) of the Netherlands has published a list of all the affected software. Use this list to determine if your organisation is using any vulnerable software, and if so, ensure to update it as soon as an update is made available.
If your company (or one of your IT suppliers) develops custom Java software, such as web applications, check if log4j2 is used within the product. If so, the version of log4j2 should be updated to the latest version.
Sources
