A newly found zero-day vulnerability in Apache Log4j, a widely used Java logging library, is simple to exploit and allows attackers to take complete control of affected servers. The vulnerability is classed as severe and enables unauthenticated remote code execution as the user running the application utilizes the Java logging library.
Various Java services and applications are vulnerable, as are systems and services that use the Java logging library, Apache Log4j, between versions 2.0 and 2.14.1. CISA (Cybersecurity and Infrastructure Security Agency) has advised users and administrators to promptly implement the suggested mitigations to address the significant vulnerability.
Although the flaw was first identified in Minecraft, researchers have warned that cloud apps are also at risk. It’s also used in enterprise applications, and when more information about the problem becomes available, many more products may be discovered to be vulnerable. Examining log files for any services employing affected Log4j versions can help organizations figure out if they’re affected.
A blog post by researchers at LunaSec warns that anybody using Apache Struts is likely vulnerable. “Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We’re calling it “Log4Shell” for short,” the blog post said.
Users should set log4j2.formatMsgNoLookups=True to minimize vulnerabilities by adding “Dlog4j2.formatMsgNoLookups=True” to the JVM command for launching the program. It is critically advised that older versions be upgraded to log4j-2.15.0-rc1 to prevent the library from being exploited.