A simple to use exploit that can be used for remote code execution and to gain full control over millions of vulnerable enterprise systems through a Java logging library is currently being abused in large numbers, researchers warn.
The bug lies in Apache Foundation's open source Struts Log4J logging utility, in version 2.14 and earlier.
It is caused by the Java Naming and Directory Interface (JNDI) application programming interface not protecting against lookups at attacker-controlled by endpoints, including ones that use the Lightweight Director Access Protocol (LDAP).
When a vulnerable application writes to a log file, the default Log4j configuration means the library looks up a server which, if an attacker controls it, can be set to send a malicious response from that system.
The response can contain a remote Java class file which is injected into the server process and executed with the same privileges as the vulnerable application using the logging library.
And yes, you can google pretty much any big InfoSec vendor with log4j and find.. things. pic.twitter.com/nHIHg5jt5H
— Kevin Beaumont (@GossiTheDog) December 10, 2021
A proof of concept was published on Twitter and on Github, and the vulnerability is rated as a full 10 out of 10 possible on the common vul ..
Support the originator by clicking the read the rest link below.
