Just four days after its initial disclosure, the Log4j 2 remote code execution vulnerability is already under heavy attack.
The vulnerability in an Apache framework for Java, designated CVE-2021-44228 and nicknamed "Log4Shell," was first disclosed on Thursday, when the Apache Software Foundation released a patch for the flaw the same day an anonymous security researcher known as "p0rz9" published a proof-of-concept exploit on GitHub.
Log4Shell was discovered and reported by Chen Zhaojun, a cloud security engineer at Alibaba. Chen found that an attacker who had access to the log files of a vulnerable server would be able to obtain remote code execution simply by adding a line of malformed code to the log file, such as by sending a chat message.
In addition to affecting many prominent enterprise applications and platforms, the flaw affected consumers as the popular game Minecraft and gaming app Steam were among the vulnerable pieces of software. Researchers have since found that the Log4j flaw was under attack for a week prior to public disclosure.
The release of the bug, and its severity and ease of exploit, sent many administrators scrambling over the weekend. Complicating matters were the ubiquity of the Log4j component in a number of applications and the difficulty of tracking down whether it was included in a given application's software by analyzing individual files.
While admins will not appreciate having spent the weekend combing through systems to track down vulnerabilities, those who have patched the flaw were wise to do so. Researchers say the bug is already under heavy attack in the wild as opportunistic attackers have created and distributed exploit scripts.
Troy Mursch, chief research officer at security firm Bad Packets, told SearchSecurity that attacks were not only already widespread, but were trending upward following the weekend.
"Some include crypto mining malware, DDoS (Mirai-like) malware and other remote code execution attempts relating to scanning activity enumerating vulnerable hosts," Mursch said. "Given how trivial it is to exploit the Log4j vulnerability, I would expect the interest level to remain high for some time."
While attacks on the bug may already be rampant, there are some mitigations available for the vulnerability. Administrators can remove the exposed components by upgrading to the latest version of Log4j; there are also automated patches and mitigations that can ease the process.
Security vendor Cybereason says it has developed a "vaccine" for Log4Shell that automates the fix. "In short, the fix uses the vulnerability itself to set the flag that turns it off. Because the vulnerability is so easy to exploit and so ubiquitous, it's one of the very few ways to close it in certain scenarios," Cybereason said.
"You can permanently close the vulnerability by causing the server to save a configuration file, but that is a more difficult proposition. The simplest solution is to set up a server that will download and then run a class that changes the server's configuration to not load things anymore."
In a blog post Monday, open source security vendor LunaSec outlined several mitigation and detection steps for enterprises responding to Log4Shell. The company warned against relying on web application firewall rules to block exploitation and that updating logging statements could have dangerous consequences.
Instead, LunaSec released a free command line tool that automatically scans Log4j packages for vulnerable versions.