On 9 December, a vulnerability (CVE-2021-44228) was discovered in the Java-based Log4J library. The vulnerability consists in the possibility of Remote Code Execution and has been rated 10 on a 10-point scale.
This vulnerability is therefore extremely easy to exploit and can have major consequences.
Log4J is used in Apache (Struts 2, Solr, Druid coh Fink) but the impact of this vulnerability has the potential to be enormous as the Log4J module is used in many other products/applications in almost all industries. This includes products from a number of major vendors.
Exploiting the vulnerability requires that a vulnerable system is exposed to a potential exploiter with network access.
As the library in question is often used as part of a complete solution, it is not as simple as replacing one or more files in an operating system, the whole solution will probably have to be rebuilt and tested.
You are thus dependent on updates from your vendor, but for those who have built their own Java solutions and know how to update the current Log4J library, the vulnerability is reportedly fixed in version 2.15.0
From our Threat Intelligence systems we are currently receiving information that there are massive scans on the Internet where cyber criminals are looking for vulnerable systems, some information suggests that vulnerable systems are being exploited for cryptocurrency mining, but also more traditional attacks such as phishing, spam, etc.
Since network access is required to exploit the vulnerability, AddPro recommends that you try to minimize the exposure of Java-based systems to the Internet and check with your vendor if the current product is vulnerable.
AddPro is currently unable to publish a list of affected systems, instead it must be assumed that all systems with a web interface are exposed until proven otherwise.
There are lists from various sources on the internet, these are continuously updated, for example https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/#affected-products
Please note that this is one of many lists and that AddPro cannot take any responsibility for the accuracy of the published data.
The actions that can be taken now are:
- Limit the exposure of suspicious systems to the Internet.
- If possible, also limit exposure to internal networks
- Verify if the current system is Java-based and uses the current log library
- Wait for update from supplier