Log4j 2, widely used in applications and services, is now subject to a vulnerability discovered Friday 10th December (CVE-2021-44228). The vulnerability has received a rating of 10 on the CVSS scale and is causing disruption to web services, allowing adversaries to take control of systems remotely.
Reports began Friday 9th December stating that many versions of Minecraft had been affected, with a proof of concept also being published. Other major services include Steam and Apple iCloud – researchers are still working to understand the range of services affected. Security consultants are currently working to provide a patch to prevent remote attackers exploiting the vulnerability further. This implementation may prove difficult due to the widespread nature of the third-party code.
Senior Security Consultant, Jack Richardson had the following words to offer: “due to the large attack surface and intrinsic severity of this remote code execution (RCE) vulnerability, it is imperative that thorough analysis is conducted on perimeter networks. Threat actors are actively taking a ‘spray and pray’ approach to trivially compromise affected external assets prior to pivoting into internal networks.”
It is highly recommended that organisations undertake an external infrastructure scan to check their perimeter. As such, we are imploring all our existing clients do this with immediate effect, especially those within the Charity and NFP sectors.
Apache released an updated version of Log4j on 10th December (Log4j 2.15.0) which requires organisation to be running Java 8 – any organisations using Java 7 will be required to update before implementing Log4j 2.15.0.