A flaw in the Log4j open source logging library allows arbitrary code execution on a vulnerable server by an attacker without the need for authentication. It exposes not only web applications that integrate Java but also those that use it indirectly. As a result, the number of potential victims – companies and public entities – is astronomical.
The Bundesamt für Sicherheit in der Informationstechnik (BSI), the German counterpart of the Agence nationale de la sécurité des systèmes d’information (Anssi), announced on December 10, 2021 the discovery of a vulnerability in the open source logging library Log4j, developed by Apache.Versions 2.0 to 2.14.1 are affected. The flaw was reportedly first detected by the Alibaba Cloud security team and notified to Apache on November 24, 2021, Bleeping Computer reports.
This library is very often used in Java/J2EE development projects as well as by vendors of Java/J2EE-based off-the-shelf software solutions, The flaw affects a very large number of potential victims.
Execute arbitrary code without authentication
This vulnerability, named “Log4Shell”, allows a malicious actor to execute arbitrary code remotely if he has the ability to submit data to an application that uses the log4j library to log the event. Even worse, this attack can be performed without being authenticated.
In practice, a malicious actor could gain access to all the information on a website, including the personal data on it, by running malware on a targeted site.
An extremely critical threat
This vulnerability leads to “an extremely critical threat”, the BSI warns, as the use of Log4j is “widespread”. Thus, the breach has consequences on “countless products”. Indeed, even if the entity does not use Java directly, it can use it via products using the logging library indirectly. This is the case for a very large number of software products, the list of which has been provided by the New Zealand CERT. It includes Struts2, Solr, Flink, ElasticSearch, Kafka, Druid but also Minecraft, Azure, iCloud (Apple), Steam or Oracle.
