Zero-day vulnerability in Log4j affects millions of Apache, Minecraft and other applications users; exploit code published

Experts report the release of an exploit for a remote code execution (RCE) vulnerability in Log4j, an open source logging utility used in all kinds of web applications, including those used by the world’s largest corporations.

News about these vulnerabilities began to unfold through websites frequented by Minecraft players. These platforms warned game users that threat actors could execute malicious code on servers running the Java version of Minecraft, manipulating log messages.

Experts note that this is a big security issue for environments tied to older Java runtimes, including web interfaces for multiple network devices, application environments using legacy APIs, and Minecraft servers, due to their reliance on older versions for mod compatibility.

Some users already report servers that perform scans across the Internet in an attempt to locate potentially vulnerable servers.

Log4j is built into multiple frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, so a host of third-party applications could also be affected by exploits of the same severity as those affecting Minecraft. 

Although it is known about the flaw, no major technical details are available; at the moment it is only known that the vulnerability received the identifier CVE-2021-44228 and that many popular systems could currently be affected.

On the other hand, Apache Foundation has not yet officially disclosed the vulnerability and its representatives have not responded to requests for any information. A group of researchers has analyzed the reports and concluded that this is a Java deserialization failure because Log4j makes network requests through the JNDI to an LDAP server and executes any code that is returned. The error is triggered within log messages with the use of the $ {} syntax.

Other reports claim that Java versions higher than 6u211, 7u201, 8u191 and 11.0.1 could show better resistance to exploiting the flaw, since the JNDI cannot load remote code using LDAP. However, threat actors could still exploit these bugs by abusing the classes that are present in vulnerable applications, although the success of these attacks would depend on the use of exposed devices.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.