The vulnerability, dubbed “Log4Shell” by researchers at LunaSec and credited to Chen Zhaojun of Alibaba, has been found in Apache Log4j, an open source logging utility that’s used in a huge number of apps, websites and services. Log4Shell was first discovered in Microsoft-owned Minecraft, though LunaSec warns that “many, many services” are vulnerable to this exploit due to Log4j’s “ubiquitous” presence in almost all major Java-based enterprise apps and servers. In a blog post, the cybersecurity company warned that anybody using Apache Struts is “likely vulnerable.”
Companies with servers confirmed to be vulnerable to Log4Shell attack so far include Apple, Amazon, Cloudflare, Twitter, Steam, Baidu, NetEase, Tencent and Elastic, though there are likely hundreds if not thousands of other organizations affected. In a statement given to TechCrunch, Cloudflare said it has updated systems to prevent attacks, adding that it saw no evidence of exploitation.
Robert Joyce, the director of Cybersecurity at the NSA, confirmed that GHIDRA, a free and open source reverse engineering tool developed by the agency, is also affected: “The Log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA’s GHIDRA,” he said.
The Computer Emergency Response Team (CERT) for New Zealand, Deutsche Telekom’s CERT, and the Greynoise web monitoring service have all warned that attackers are actively looking for servers vulnerable to Log4Shell attacks. According to the latter, around 100 distinct hosts are scanning the internet for ways to exploit Log4j vulnerability.
Kayla Underkoffler, a senior security technologist at HackerOne, tells TechCrunch that this zero-day highlights the “threat that open source software presents as a growing portion of the world’s critical supply chain attack surfaces.”
“Open source software is behind nearly all modern digital infrastructure, with the average application using 528 different open source components,” Underkoffler said. “The majority of high-risk open source vulnerabilities discovered in 2020 have also existed in code for more than two years and most organizations lack direct control over open source software within supply chains to easily fix these weaknesses. Securing this often poorly funded software is imperative for any organization that relies on it.”
The Apache Software Foundation has released an emergency security update today to patch the zero-day vulnerability in Log4j, along with mitigation steps for those unable to update immediately. Game developer Mojang Studios has also released an emergency Minecraft security update to address the bug.
Updated with comment from Cloudflare.