New Zero-Day In the Log4j Java Library Is Already Being Exploited

A newly discovered zero-day vulnerability in the widely used Java logging library Apache Log4j is easy to exploit and enables attackers to gain full control of affected servers. ZDNet reports: Tracked as CVE-2021-44228, the vulnerability is classed as severe and allows unauthenticated remote code execution as the user running the application utilizes the Java logging library. CERT New Zealand warns that it's already being exploited in the wild. CISA has urged users and administrators to apply the recommended mitigations "immediately" in order to address the critical vulnerabilities. Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java. The vulnerability was first discovered in Minecraft but researchers warn that cloud applications are also vulnerable. It's also used in enterprise applications and it's likely that many products will be found to be vulnerable as more is learned about the flaw. Slashdot reader alfabravoteam shares an excerpt from a blog post by researchers a LunaSec, warning that "anybody using Apache Struts is likely vulnerable." From the report: Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We're calling it "Log4Shell" for short (CVE-2021-44228 just isn't as memorable). The 0-day was tweeted along with a POC posted on GitHub. [...] This has been published as CVE-2021-44228 now. Many, many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable. Anybody using Apache Struts is likely vulnerable. We've seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach. Many Open Source projects like the Minecraft server, Paper, have already begun patching their usage of log4j [to log4j-2.15.0-rc1].

Read more of this story at Slashdot.